Hackers Turn Google Into Password Hunter

The hacking group Cult of the Dead Cow (CDC) this week released a tool that turns Google into an automated vulnerability scanner, scouring websites for sensitive information such as passwords or server vulnerabilities.

CDC first achieved notoriety ten years ago with its backdoor Back Orifice, which demonstrated in a highly public way just how easy it was to take unauthorized control of a Windows PC.

The new tool, called Goolag Scan, is equally provocative, making it easy for unskilled users to track down vulnerabilities and sensitive information on specific websites or broad web domains.

This capability should serve as a wake-up call for system administrators to run the tool on their own sites before attackers get around to it, according to CDC.

"It's no big secret that the Web is the platform, and this platform pretty much sucks from a security perspective," said CDC spokesperson Oxblood Ruffin, in a statement. "We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large website, I'd be downloading this beast and aiming it at my site yesterday."

The tool is a stand-alone Windows .Net application, licensed under the open source GNU General Public License, that provides about 1,500 customized searches under categories such as "vulnerable servers," "sensitive online shopping information" and "files containing juicy information."

The results are displayed as a list of links that can be opened directly in a browser. Example results include tell-tale error messages and Java applets for the remote control of surveillance cameras, according to CDC.

Goolag Scan is based on "Google hacking," the practice of exposing vulnerabilities via Google, which CDC says has been pioneered by a hacker going by the handle "Johnny I Hack Stuff."

Goolag Scan is, however, the first time such vulnerability searches have been built into a simple tool, according to CDC.