Google Search Vulnerabilities
Dorking is a legal but specialised sub-set of Google searching
Google dorks are keyword searches that look for specific website content rather than searching for a general subject. They can be used to find exposed confidential information.
It was reported in 2020 that the collaboration site Trello exposed data to dork searches within its public documents. Trello boards are by default private and as such are not vulnerable to these searches. The Trello dork searches listed publically by Darkrain no longer reveal sensitive information.
Google dorks are a useful tool for ethical hacking, penetration testing and evaluating a business’ own web exposure. YeahHub provide a handy beginner’s guide to useful, simpler dorks. A simple starting dork is link: which will look for instances of a url link on the web and show who is referencing that site. For example; link:kindus.co.uk will bring up other sites that link to kindus.co.uk giving an indication of websites that link into Kindus. A view of the results will show that amongst the useful results are some that are run by Kindus and that several of the ‘hits’ have no relation or link to Kindus in any way shape or form.
The search phrases can also be chained together for more refined results. There is a list of the most popular dorks of 2022 on boxpiper. These clearly show the use of dorks within the hacking community and the applications that they might be targeting.
Sensitive information should never be publically exposed on the web: If it is not there then the criminal is not going to find it. There will always be a need to share some data and a race between ‘secure’ ways to share data and hacks to break through that security. If a page or site is password protected it will still show up on a search but a hacker will not be able to access its contents.
Google dorks have been around for years and if nothing sensitive is exposed should not be a worry. Running dorks is not illegal but access to data from such searches could break the law. Dorks can be blocked by setting up a robots.txt file in the root of the web directory to block or restrict search engine indexing.