An Accidental Google Hack

Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).


Now the accidental bit.

My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.



It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).

Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.

site:yimwhan.com filetype:txt intext:password



Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?



Well we all know Bob, his curiosity gets the better of him.




Bob just couldn't help himself could he!

I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!