How i hacked the government with “just” google
H3ll0 Fr13nds,
Writing my first report on medium made me nervous with the complete confusion of where to start from. On the evening of 25 Jun 2019 around 18:30 UTC after bug hunting on Bugcrowd, I decided to look into sites that had some juicy contents hosted online that were not meant to be.
Without talking much, lets dive into the case.
I went over to google.com and tried some google dorks like site:redact intitle:”index of” filename
Surprisingly I found About 1,930 results (0.44 seconds)
Wait!!! What? Those who are new to this would ask what’s google dorks. According to whatis.techtarget.com, a google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website.
Back to the results. The government url caught my attention and wanting to feed my curious self led me to the page.
Ok so the part that got me excited. I saw mysql files compressed in gz, and also txt extension. It was a total compression of 14M , there was no way in hell i was downloading that unto my baby. Thats when i thought to myself, why don’t i just view the txt file since that was about 43.
Did this government server really say “this file should not be publicly accessible?” Well we still accessed it. I then decided not to feed my curiosity again.
What do i do with this server? As an ethical hacker, it’s always important to report any findings you come across before the bad guy gets it. Now time to report the incidence to the CSIRT.
Really!!!! The government has no CSIRT any findings can be reported to?!!! I still went ahead to the contact us and emailed asking for any further email i could report this issue to.
SHOULD SECURITY BE TAKEN SERIOUSLY??? Kindly give your opinion in the comment field below
