[36311] in bugtraq
Re: New google's top query?
daemon@ATHENA.MIT.EDU (Justin Wheeler)
Fri Aug 27 19:07:01 2004
Date: Thu, 26 Aug 2004 09:02:27 -0400 (EDT)
From: Justin Wheeler <bugtraq@datademons.com>
To: bugtraq@securityfocus.com
In-Reply-To: <412AC9EE.80400@sfsu.edu>
Message-ID: <Pine.LNX.4.61.0408260900070.950@neo>
MIME-Version: 1.0
Content-ID: <Pine.LNX.4.61.0408260900180.950@neo>
X-SA-Exim-Mail-From: bugtraq@datademons.com
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1127074071-1093525213=:950"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--8323328-1127074071-1093525213=:950
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; FORMAT=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.61.0408260900181.950@neo>
It's also worth noting that the vast majority of the cards supplied via=20
this method, even when it isn't riddled with "hey look what google can=20
do!" messages, are test card numbers that are used only for testing online=
=20
payment software, and won't work on live sites.
Also, most of the cards I found when I tested it came with no expiry, and=
=20
9 times out of 10, online merchants also require the 3 digit verification=
=20
code on the back of cards aswell.
Lastly, I'd like to point out, there's a good chance that if the card has=
=20
made it into the public domain, someone else has probably already=20
exploited it, and any attempt to use it yourself would be nothing more=20
than blatant stupidity, as the card is likely already been cancelled, and=
=20
being monitored for more fradulent activity.
Google is doing nothing, and doesn't need to change anything. If they do,=
=20
what would be next, they have to locate people's names and scratch them=20
off because they might be under the witness protection program?
Regards,
Justin Wheeler
--
I hit the CTRL key but I'm still not in control!
On Mon, 23 Aug 2004, Alex Keller wrote:
> Re: New google's top query?
>
> this "hack" (really a numrange search) was covered at DEFCON12=20
> (http://www.defcon.org/html/defcon-12/dc-12-index.html) and widely known=
=20
> before it was publicized by Johnny Long (http://johnny.ihackstuff.com/)=
=20
> during his talk at the conference (to his credit, he did NOT release the=
=20
> exact syntax BTW). following that search now will yield little sensitive=
=20
> info, as most of the affected sites have removed the pages that demonstra=
ted=20
> this security breach. Google is well aware of the malicious activity that=
can=20
> be aided with their search engine....but they are in a bit of a predicame=
nt=20
> between notions of security and freedom; a common juxtaposition in politi=
cs,=20
> social order, and network security.
>
> this forum at Johnny's site has plenty more search "hacks":
> http://johnny.ihackstuff.com/index.php?module=3Dprodreviews
>
> for further investigation and vulnerability testing, check out Foundstone=
's=20
> SiteDigger:=20
> http://www.foundstone.com/index.htm?subnav=3Dresources/navigation.htm&sub=
content=3D/resources/s3i_tools.htm
>
> Athena is another powerful Google digging tool that can expose search=20
> vulnerabilities; although i can't seem to find a working download site ri=
ght=20
> now. you can grab the entire DEFCON12 iso (457MB) at:
> http://130.212.20.4/admin/defcon/defcon12.iso
> Athena can be found in the directory "Long".
>
> happy Google hunting...oh yeah, don't be an idiot and use this info for e=
vil.
>
> -alex
>
>
> other
> J=E9r=F4me ATHIAS wrote:
>
>>=20
>> Hi,
>>=20
>>=20
>>=20
>> i don't remember to have seen this info here...
>>=20
>>=20
>>=20
>> If information is knowledge and knowledge is power, then Google must be =
all=20
>> powerful. I say this because of the thing you can find on Google if you=
=20
>> know how to look for them. A new Google hack has come to my attention th=
at=20
>> brings back some information that is a bit troubling. I must say that it=
is=20
>> also good for the more you know about something the better you are to ac=
t=20
>> upon it. The hack is this:
>>=20
>>=20
>>=20
>> http://www.google.com/search?q=3Dvisa+4356000000000000..4356999999999999
>>=20
>>=20
>>=20
>> When this query is put into the Google search, an idea of the brut stren=
gth=20
>> of Google becomes apparent. You can find things like this, which may wor=
ry=20
>> you if you found your name on it.
>>=20
>>=20
>>=20
>> I=19m not really sure if Google knows what it can do, but they take an=
=20
>> interesting stance toward their provision of data.
>>=20
>>=20
>>=20
>> Regards,
>>=20
>> J=E9r=F4me
>>=20
>>=20
>
>
>
>
>
--8323328-1127074071-1093525213=:950--
