back to article That password-protected site of yours - it ain't

It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number …

COMMENTS

This topic is closed for new posts.
  1. The Mighty Spang

    hope they don't patch this

    or at least put an option into google for "dont display stuff i can't access".

    i've accidently clicked on so many "experts exchange" (lol) links in my time i could fsking scream. lets have a nice clean search engine for public information please.

  2. Stephane
    Gates Horns

    "Exports Exchange"

    Actually you can just see the answers by scrolling down on the page, after the huge category listing.

    That's like not even trying.

  3. Adam Williamson

    Not quite that easy

    It's not quite as easy as updating Wordpress - you then have to dump the entire contents of the Wordpress database and weed out the nasty content. Which is a pain. I should know, it happened to me too. Too lazy to update from 2.5 to 2.5.1. Sigh.

  4. Anigel

    easy fix - wrecks usability

    Google has had the option to give a username and pasword for accessing protected content on your site for ages now.

    On the other had It used to really pee me off when I had to go through several sites before I could actually access the information without having to go through signups and validations even on free sites! So instead of the signup to see this post link the back button always got hit and webmasters really need to look into the amount of visitors they are losing by insisting on signups on non premium sites

    Its got to the point now where if there is no cache link on the google search result then I do not even bother clicking it as they are normally hiding content behind logins etc

  5. michael W
    Dead Vulture

    "hacking"?

    This is such a retarded article :P

    don't want to come across sounding elistest or anything but surely the majority of Reg readers know about this sort of thing.

    Also, to try and boast about "haxking any site" using google cache is complete and udder shite. The only sites which don't require a login for search engine spiders are mostly forums that you would still not actually be "hacking".

    It's basically the equivalent of saying "if you use bugmenot.com to find out a password for a website so you don't need to sign up then you've hacked it!!!11!"

    ¬.¬ suppose I should just stick to securityfocus for actual proper security stories

  6. Jeremy
    Dead Vulture

    Hardly a "hack"

    Really, is it? It's by design for goodness sake.

    Anyone who manages a website using that technique knows full well that some users will be smart and stubborn enough to mimic a search engine bot to get around it. They also know that the vast majority won't and will happily sign up to get the info.

    Sensationalist nonsense, El Reg...

  7. Anonymous Coward
    Happy

    elistest

    "don't want to come across sounding elistest or anything"

    lol.. don't worry, you didn't..

  8. Ryan Barrett

    Don't encourage people to use expert$-exchange..

    ..that cancer of a site already b0rks most tech-related searches, and it's a pain typing -"experts-exchange" for each search.

  9. JohnG

    Google Hacking Database

    http://johnny.ihackstuff.com/ghdb.php

    It's often the cache that holds the interesting info.

  10. Anonymous Coward
    Happy

    BTW

    This works for porn sites .... apparently

  11. Anonymous Coward
    Anonymous Coward

    Elite computer users?

    I don't know if I'm elite yet, but this is very old news. Fix: don't let google see too much. I wouldn't call this a hack as much as people taking advantage of a silly designer.

  12. Anonymous Coward
    Thumb Down

    title no. 362

    "...By Ryan Barrett

    [talking about experts-exchange]

    ..that cancer of a site.."

    couldnae have said it better myself. how the hell does that turd of a site manage to survive - asking people to pay for stuff they can find out for free, provided they've got the gumption to scroll down the google search results page a bit?

  13. Tom Womack

    'usage rights'

    You can get Google to show you only stuff you can see by selecting 'usage rights: free to use or share' from the Advanced Search menu - this makes searches in the field of chemistry much more useful, since Google has indexed a lot of very expensive journals which serve only to tantalise

  14. bobbles31
    Coat

    Experts Exchange (aka Wankers Club)

    I have spent my 12 years in IT daily fighting off the urge to kill developers that seem to think that they are some kind of demigod because they know how to write a FOR loop and here comes an entire site that seems to be trying to make a business out of that very attitude.

    Anyway, thats my two pence, what is it that they say about experts?

    An ex is a has been and a spurt is a drip under pressure.

    Mines the one with, helpful and friendly mentor written on the back.

  15. Anonymous Coward
    Thumb Up

    So that's how it's done

    I'd often read about webpages which been deleted off the net remaining accessible via Google's cache, but I never knew how to actually query Google for the contents of said cache - now I know it's as beautifully simple as just entering <cache:> before the URL in question!

  16. Anonymous Coward
    Anonymous Coward

    This has been around for ages

    dear gosh it makes the news, I don't what is the noun for really old news, history, or how about cache.

    If your site is being indexed by google who runs an open cache then the information is not secure it is that simple :) Same as if you had a user who just posted all your content :)

    Java Applets that's the way, wheel out spotty blamonge girl, she has to be good for something, even then they could take screen shots ;)

    There is actually a way around this, but I am not saying, it is a useful feature at times, even if just see the squabbles on experts exchange about how their completely off base answer to a question was really right, so they can move up the experts ladder :)

  17. Michael Habel
    Boffin

    how is this better then the standard cache link that google give you already?!?!

    Ok I give in I'm thick as Pigsh*t about this concept other then to know the "address" of the site (e.g. the Page Number et-al) and to add the "cache:" befor the URL in the Google Bar, wtf is actually any different (or better), then to just use the linked cache that google give you anyways?!

  18. Steve Sherlock

    re: Don't encourage people to use expert$-exchange

    Not to mention when you accidentally misplace the hyphen one character to the left. You don't want to know some of the things I've seen in my time...

    That being said, it's sad how expert-sexchange, errr, experts-exchange turned out - had a lot of promise in the early days :(

  19. Anonymous Coward
    Dead Vulture

    if you run a for pay site...

    ...and have not covered this off on day 1, you really need to re-think your career. The "serious" search engines make it pretty easy to stop your content from showing up in the cache. The search engine will have rights to your content, and others wont. And before whatever clever H4x0r that wrote this tripe starts yelling about "I will impersonate a searchbot blah blah... yawn" there is something called reverse lookup validation that will put that quickly to bed.

    Come on Register, this belongs in some bullshit BBC "high tech" page that some wanker over there writes, not on a site like this. Get a grip, guys, poor effort!

  20. Stephen

    Cloaking on user agent

    Most sites actually cloak purely on user agent without even checking the RDNS or a known IP list of google bots. So usually you can just change your useragent to match google bot and get in :)

  21. This post has been deleted by its author

  22. Anonymous Coward
    Coat

    It's hardly rocket or any other kind of science...

    This was posted in 2600 magazine a long time ago. (for those that didn't notice it themselves) And you hardly have to enter anything special---just do a Google search and click on "cached" when your links come up. Very useful feature not even counting the ability to bypass weak protection schemes.

    On a side note, responding to the person that mentioned what mistyping a single character can do--- some years ago when I used to use the "Metacrawler" search engine for my searches, I was showing it to a total newbie to the web. And I typed "Meatcrawler" instead of Metacrawler... I'm sure she's scarred for life...

  23. daniel
    Flame

    @Everyone

    Yes, you know it, I know it and as said in the article, it's been known a long time - Just as the rules to win friends and influence people in Dale Carnegie's famous book are known to everyone; but... how many people remember to apply them????

    Also, remember that all El Reg readers are not l33t hax0r5 like some of you whinging and whining there and some may not know about this.

  24. Cliff

    Another insultingly heasy hack you can do...

    Another amateur-level 'hack' that can help you see content sometimes is to use your firefox Web Development Toolbar's Cookies | Clear Session Cookies option. When you visit a site that allows you (say) 3 free downloads for non-members, then bounces you to another screen on your 4th download, clear the session cookies and try again.

    These protective measures are only there to deter the less determined and less savvy, they're not designed to be truly secure, as *truly* secure = expensive.

  25. T. Harrell
    Unhappy

    Google 1, Users 0

    As stated above already, this only works on amateurish sites that haven't bothered to implement much security. Any site with content worth looking at has used the more secure method of requiring google to use a password to login.

    I'm on the verge of moving to a different search engine, since I get burned so often by results that are payola. Google really should have a switch that prevents non-cached links from being displayed.

    BTW, the "free to use or share" option that google does provide is unacceptable. It only returns results for which the rights have been specified. The majority of public web pages don't have any rights info, so they are omitted, including wikipedia, apparently

  26. Mike Lovell
    Stop

    Re: Experts Exchange

    Hey, you guys do know that if you just scroll down to the bottom of the page, the Expertexchange article has the answers (not obscured).

    Try it! ;o)

    But keep it under your hat, don't want them to fix that one!

  27. Philip Skinner
    Coat

    Very simple if you read the docs

    Jeeze...

    <META NAME="ROBOTS" CONTENT="NOARCHIVE">

    ..mines the one with "Read the manual" on the back.

  28. mike2R
    Dead Vulture

    Article not so good

    Got to say I agree with those who say this article doesn't have any place on El Reg. It's not so much the content but the way it's presented. Title it 'simple tricks you can play with Google' and tone down the excited language and it would be fine. But this isn't a hack and it isn't news.

    As was said above, I could imagine reading this on the BBC site. Hell, you could probably read it out and it would make a perfect piece for 'Click...'

  29. Anonymous Coward
    Paris Hilton

    BUGMENOT

    Just flaming well use BugMeNot for these retarded sites that require a username and password to post something. Oh wai....

  30. David
    Gates Horns

    I fixed this problem

    It has nothing to do with the database as someone in the comments said. It is a hack on the header.php and one other file (which I cannot remember) in Wordpress. I fixed the problem by making the header.php file non-writable and it stopped this attack in its tracks.

  31. Anonymous Coward
    Anonymous Coward

    brillig

    O frabjous day! Callooh! Callay!'

    He chortled in his joy.

  32. spam
    IT Angle

    Booga Booga

    Just trying to comment using bugmenot. ;-)

  33. This post has been deleted by its author

  34. b

    @JIM THE BOSS

    jim, you need a new keyboard...

    great site, btw?:

    http://www.jimisboss.com/mt/index.php

    i can see why you're the boss!

    ;)

  35. b
    Thumb Up

    no understandy m8y!

    "JIM HAS BEEN SPEENDING SOME TIME AT A BIRTISH WESBITE CALLED THE RESISTER AND I HAVEV BEEN TRYIG TO SHRARE MY VAST BILLIANCE WITH THEM AND THEY JUST DONT SEEM TO UDNERSTAND ME"

    http://jimisboss.com/mt/2008/08/doig_buziness_wrold_wide.php#more

    just quality!

  36. kororas
    Boffin

    Experts Exchange

    I was under the impression that only worked with Firefox + NoScript. You mean to say it works on any browser? lol

  37. Alan W. Rateliff, II
    Paris Hilton

    @bobbles31

    1) Figure out what makes someone feel they are better than everyone else

    2) Design a for-pay website which caters to that 1337ness

    3) ...

    4) Profit!

    Paris, she feels better than everyone else, for-pay.

  38. Jared

    Bots

    I was in charge of "search engine optimization" at a magazine company when I was an intern fresh out of college. You had to be a subscriber or a search engine bot to see all the articles, otherwise it would just show you the first paragraph. When I supplied an app to the QA people that changed their IE user agent so they could test as the various bots we "uncloaked" for, they were shocked that regular users could so simply gain access to all our information for free. I got a good chuckle out of it.

    The shame here is that google et al allow this. They should hit a page with the googlebot user agent, then hit it with an IE user agent, and remove sites from their index that try this kind of nonsense. SQLServerCentral.com is the #1 culprit that I run into regularly, and they have the no-cache thing on so I have to resort to the user agent hack.

  39. Tim Bates
    Thumb Down

    Re: Experts Exchange

    They did "fix" that scroll to the bottom thing for a while some time back. Pissed off a number of people.

    I'm guessing someone noticed a huge decline in traffic and no increase in sales because it came back within a few weeks.

  40. Martin Nicholls
    Boffin

    Clueless Tardchange

    "i've accidently clicked on so many "experts exchange" (lol) links in my time i could fsking scream"

    Indeed, behaviour like that should be grounds for a google ban. I find it hard to believe anybody visits that site by choice or worse actually pays - you have to wonder how they get things like pagerank when they're hated more than myspace.

    And worse why google see various tricks mentioned in their rules as suddenly fine when it's 'Experts Exchange'.

  41. Ron Enderland
    Alert

    @all Experts Exchange haters

    The answers are indeed in plain text at the lower end of the page, but a single-session cookie is set that goes away when you close your browser. That prevents you from viewing the answers on a second EE page. Prevent or delete the cookie, read answers for free all day long.

    In their meager defense, their experts often seem to have the answers to the issues I'm troubleshooting...

  42. Dave
    Heart

    @Jared

    "SQLServerCentral.com is the #1 culprit that I run into regularly"

    Then why not just register - it didn't cost me anything to join...

  43. Anonymous Coward
    Paris Hilton

    Google

    Is it just me, or Google starting to suck? Everything I search for lately just returns a link to some wankers opinion, midway through a thread on a forum, as opposed to a real article about my topic of interest. Oh yeah, and the top 5 are subscription only sites like the ones mentioned above.

    Is there anything better right now?

  44. Jared

    @Dave

    I did register quite some time ago, it just irritates me that I have to go through the trouble of logging in to access content that I feel like I should be able to access with one click, as that's how it was 'advertised' to google. Since there's not a huge probability that the article I'm trying to look at has the answer I'm after anyways, I don't want to be bothered with logging in to find out.

  45. Anonymous Coward
    Anonymous Coward

    Alternatives

    How about Exalead as an alternative.

    http://www.exalead.co.uk/search

    Just a little clunkier than Google.

  46. Anonymous Coward
    Stop

    Experts exchange

    I don't know why you noobs are knocking it just because you cant work out how to scroll down the page. I have never had to mess around with disabling scripting or cookies to be able to read the answers.

    I am an IT expert but I still find it very useful for dealing with obscure bugs and errors. For the less technically able it is a site that could be invaluable.

    Plus it is refreshing to see people answering problems without the trolls that haunt forums and comments sections such as yourself popping up to drown it with so much drivel.

  47. CockKnocker
    Paris Hilton

    interesting...

    Ok so I dont care whether this is an old or new vulnerability, it is news to me. The important question is, Can I now get all the free Pr0n in the world thanks to google cache, please god yes........

    Paris cos who hasnt seen that vid

  48. Mark Morgan
    Happy

    RE: Very simple if you read the docs

    "<META NAME="ROBOTS" CONTENT="NOARCHIVE">

    ..mines the one with "Read the manual" on the back."

    Indeed. There was a good case a couple of years ago where a Belgian newspaper company, Copiepresse - covering several countries, sued Google for making their copyrighted, paid-for, content available in their cache. Google didn't show at the court hearing and the judge ordered Google to remove all of the companies newspapers from the site. So, Google obeyed and removed the lot from the entire search index effectively wiping them off the net.

    Eventually the papers saw the idiocy in their ways fixed their headers and asked Google nicely to reindex them.

  49. TimM

    damn Experts Exchange

    Pain in the arse that it is because it pollutes the search results, if you do really want to peak at the so called "expert" answers and your browser isn't giving you the results just by scrolling down, then the answer comes from this very article.

    i.e. Google's cache has them perfectly unhidden.

    Mostly a waste of space though. Better to filter them out of google entirely. Along with the hundreds of other sites that just are copies of other knowledgebase and forum posts in response to questions.

    Anyway, googles cache is very handy I find. Not just for hidden stuff, but for viewing sites that are slow or down.

  50. Steve Roper

    Getting rid of experts-exchange

    Like so many here, this site turning up in tech search results has had me infuriated as well. My solution was to install the CustomiseGoogle addon to my Firefox. CustomiseGoogle allows you to block specific domains from turning up in search results. Needless to say, this bunch of arseholes were the first on my CustomiseGoogle ban-list!

    As to scrolling down to see the answer, in my experience that is complete and utter shite. I DID scroll on the EE pages when I first found them, but all I ever saw was their "you must pay to see the answer" page. No useful information to be found by scrolling or otherwise here.

    Now I have them blocked, and I haven't seen them come up in my search results for over a year now!

This topic is closed for new posts.

Other stories you might like