Whilst reading a pretty mundane looking “Life Pro Tips” article I came across a tip for searching google for free Android APK’s. The idea was pretty simple in it’s design and I was curious as it reminded me of the content of GHDB (Google Hacker DataBase). I was curious what else I could stumble upon using that string as a starting point. This is 2015, 12 years after that initial list of search strings started to appear. Surely people have learnt since then and even the ones that were opened close to the GHDB heyday have been closed down? Well the answer is sadly no, no they have not.
The crux of this is I want to avoid downloading anything actually illegal. I would rather this article wasn’t used to promote all the free content you can get on the internet without torrents or usenet. When I do come across anything illegal I will pull any file that won’t get me in trouble to check permissions and that is it. This can be .nfo, .txt or images. Basically anything created that I will not get an angry letter in the post for.
I have thought long and hard about if I should expose the private but public content. Well the crux of it is that most of the examples have had quite a few years to cover up the content. There is only one way to learn now and that is by example. I will do my best where possible to content each person and warn them when I publish. It will up to them to fix the hole before people go directly to their content.
OK, we are going to start of with something rather innocent looking. In an ideal, law abiding society I should get back only manuals and public domain publications but this was not the case, as I am sure you can imagine.
Taking a the first google result
it looks like we already run into a quite broad collection of ebooks books. I would say this is package that the user has downloaded. It looks like there is a link to go up a folder and this takes us to what looks like a bands website.
Thankfully there is a link to their facebook page so I will leave them a note on there telling them to fix this.
Below is a grab of their neat little collection. Quite well read bunch if they have consumed all of these.
Going down the list a little bit there seems to be to someone’s user account on a college or university server.
Back in the day it was common for sysadmins to be plug home folders directly into the apache making each users home folder available to apache and all those that have access to it.
This is where it starts to get embarrassing.. We can see this man is not only reading up on all things computer science and Linux but also is reading up on sex advice. I have to admit I had to look in the folder… but what is worst is his ‘Dick Guide’. Not sure this is something you want associated with a photo of yourself.
As before we can travel up a folder here and this is where it gets interesting. So we know what college or uni this chap was at and now we find out more about him. We know part of his name from his username. Turns out we can even find a photo of the poor chaphere
So not only from the name of the photo work out it is a chap called Pavlin but we see what his schedule was and photos of places visited. This is a stalkers wet dream.
Sadly it doesn’t stop there as from here you can get to the rest of the users on the system… not good.
As I go and do a bit more digging on more of the Google results I can find further examples of open personal documents and PDF stashes. I have to say, I feel bad for authors of those book. Not only do these people pirate their books but they probably don’t even do the decent act of reading them.
Incase you are unaware, DCIM (Digital Camera Images) is a common folder name used by digital cameras and mobile phones for a folder of photos.
I was amazed by the first result for this search term which was called “phone backup
“. Would someone back their phone up to a public accessible place?
Looking at the content however I quickly realised I had stumbled upon what seems to be some very intermit and personal photos
(WARNING: NSFW). This genuinely seems to be a dump of someone’s memory card from their Android Phone.
We have one of their facebook profile photo:
Hmmm, that is sound advice. Maybe I should check my own sites for directory listing before I post this? Sorry Inge but that was a bad location to store your private phone photos. Again we can transverse up further and see more private photos and even what applications were stored on her phone as APK’s (Android Application Package files). I didn’t really enjoy going through this lady’s private photos so I didn’t go too far to see if there was any readable txt files or other information.
Let’s leave poor Inge alone and have a look at the next listing. Again this seems to be a backup from an Android
device and again it contains personal photos from the users. This person is just filter mad, how about glue sticks… with filter?
There is just too many hits for this result to go through them all. I was quite amazed by how many results I got back and how I can find examples of folders label ‘private’ that really are not and even family photos. I can’t contact all these people but really they need to find out some how.
I even changed my tact a little and altered the search to check for “100ANDRO” but this return far too many positive hits of people who had uploading and shared their phone contents publicly. There is a lot of porn and private images so for now I am going to leave this one. If you have ever back up one of these folders you might want to check the permissions on them!
I already know what type of content this is going to return. MKV is a file format for compressed video and audio that is often used for “HD” content. Most of the modern torrents will come with this as the file format of choice.
What I am curious about though is that we always hear of the music and film industry going out of their way to issue takedown notices on sites such as Youtube or Vivo. But how much effort and if so effect have these companies had on easily accessible content?
I can’t say I am surprised but the first google result seems to be someone’s shared DLC folder. This is the download folder of another popular file sharing application but one that does not need you to share your collection as public downloading folder. I checked one .nfo file and it was accessible and I could read the contents so I assume that the movies are downloadable as well.
This person is pretty much laying out their crime, file by file and with accurate web logs of who and what IP address has downloading each file. This seems a much better and easier target for the MPAA to attack?
Going down the list there is a one or two sites that are spam that are designed to look like these accidental listed pages but instead take you off to one of those annoying download sites. Some of them were quite good in locking up your browser so you can’t get off them. At this point I was starting to wish I had done my searching from the comfort of a Virtual Machine rather than my main development computer.
Other Pages of Interest
Whilst I was investigating these open issues I came across other pages that cover the same issue. One of them are even more worrying then what my basic search turned up.
This is a website that makes it easy to find connected devices like webcams, routers that have the default login credentials set. It is of interest because a lot fo these devices can be found using google. I will do a review on this later on but the content is easily accessible and worrying.
Johny I Hack Stuff
The original list that was started way back in 2002/2003. It is worrying how many of these search string are still active or can easily be modified to make a modern attack vector. A great starting point to get more insight into the issues with Google URL Hacking.
How to block Google Indexing Parts of your Site
This is a pretty comprehensive guide on stopping google from indexing pages that you really don’t want the public to see. In reality most cases just putting a blank “index.html” file in every new folder will cover it. That and only allowing apache to see folders in your /var folder. But this covers all you need to know.