Unprotected Google directory spills database data

Unprotected Google directory spills database data

Summary: Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.

SHARE:
TOPICS: Google
12

Google has hurriedly fixed a gaping hole in its Web page removal request tool after outsiders discovered they could traverse up the directory root, browse folders and find weak database passwords.

Google site removal

The flaw, first reported by Earl of Grey's blog, exposed an unprotected internal Google directory. The Hacker Webzine poked around and found some fun stuff:

Apparently it is a simple directory that wasn't protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder.

And it looks like Google has a password-strength problem:

What strikes me most is that they log in as root user and second the utter simplicity of the used passwords: 6 chars long 4 digits and two letters in the first one. A little ironic regarding Google's advisory on password strength.

A rar file with some of the exposed data is available here. More from RSnake.

Topic: Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • And Google wants everyone to trust

    them with their personal data? Don't think so...
    No_Ax_to_Grind
    • Every company...

      As a veteran of the software industry it's easy to see that one given for ANY major company is that they will need to LEARN security, and that learning process is long, difficult, and comes with numerous security gaffes.

      Google is at the BEGINNING of this process, over the next five years I expect to see mistakes like this over and over until they eventually learn the costs associated with those mistakes. It's just the cost of being a highly successful software company that needs to churn out code as fast as possible.
      KTLA
      • Excuse me?

        At the beginning? Google has been in business for years. I can't believe the slack
        people cut these jokers.
        frgough
        • I have to agree, Google DOES know better.

          But lazy is easy...
          No_Ax_to_Grind
          • it was probably a lazy developer.. they are always doing this stuff.

            d
            Been_Done_Before
        • Not "slack"

          You are misunderstanding me. Google deserves all the criticism they get, like every other company.

          They are at the beginning of the security learning process, because they have not had scrutiny on their every move for the past 15 years, like some other major company. They've had pretty much a free pass until now.

          They will keep on making these mistakes until it starts costing them billions. (Which is a certainty.)
          KTLA
      • Yeah, but

        where do they get the chumps to be their "pioneers"? It's not going to be me, that is for certain. I don't know that I'd ever trust Google with my data, but I would at least wait until all security issues had settled down to none serious for a few years, then I'd wait another 5 years on top of that. Well, by then Microsoft or someone else will be offering comparable or better web experiences anyway, so I guess I'll never use Google.
        xuniL_z
  • It has begun

    :(
    John Zern
    • It began a while back

      it has just become noticed, yet will it be remembered or deeply acknowledged . . .
      Boot_Agnostic
  • There's a reason for proper design and testing.

    I don't know what sort of design, testing, peer review processes and vulnerability analysis google uses, but there's a reason these exist, specially when applied to huge companies like google with millions of users with personal data at stake.

    What we see here looks like a hack, not something we'd expect from a company like google, with the reputation they have.

    There's a reason I keep reiterating the privacy risks of trusting your data to companies like google, if you look at their data retention policies.
    kraterz
    • "reputation"?

      [i]"not something we'd expect from a company like google, with the reputation they have."[/i]

      Their "reputation" is currently made up of a RDF (reality distortion field), much like Steve Jobs uses to great effect. Google in 2012 may still be huge, but will have been brought down to earth painfully if they intend on remaining as large as they are. Same would happen for Apple if they ever get out of their niche, but that isn't likely to ever happen.
      KTLA
    • Google doesn't test.

      Because they are so smart.

      http://blogs.zdnet.com/microsoft/?p=48

      (from the above, Alan Warren, Google's director of engineering:)

      Warren bragged that Google has "the lowest ratio of testers to engineers" in the industry. "We can get away with that because we are building the code reviews in from the start," which "tends to make the code more robust than usual."

      In other words, they don't have to test because they are so smart. They "build in the code reviews from the start", which apparently, after 40 years of software development worldwide, no one else ever thought of.
      hickum