Another Google hack – Using Google to crack passwords
I’ve seen some pretty amazing Google hacks in my time, with people using the search engine to find private phone numbers, move security cameras and a lot more besides. The latest chance discovery of the power of Google is how it can be used to discover peoples online passwords.
A few weeks ago, the blog of the Cambridge University security team was broken in to, purportedly by a Russian hacker. He used a security weakness in the Wordpress installation, somehow upping his rank from a user to an administrator, allowing his to pretty much control the blog, and change whatever he wanted to.
It seems it was done more for professional pride than any devious means, and the interesting part didn’t come until later when the team from the Light Blue Touchpaper blog started clearing up after the intrusion.
The team could see the user, but not the password he had used, and they wanted to know what it was. They could see the entry in the MySQL database, which had been lightly encrypted using the MD5 Hash.
After a few failed attempts at uncovering the password, first using an English dictionary, and then later a Russian one, via “a trivial Python script”, Steven Murdoch, one of the guys from the Cambridge University security team, realised he needed more power. So he turned to Google.
He grabbed the hash from the database – 20f1aeb7819d7858684c898d1e98c1bb – and typed it in to the search engine. His search gave results which included many sites featuring “Anthony”, which was the password used by the hacker.
It works because the hash was in the URL. As Murdoch notes on the very same blog that was hacked:
“This makes a lot of sense – I’ve even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key’s MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions.”
So what does this mean for the ordinary punter like you and I who aren’t in to hacking, and would like to avoid being hacked ourselves? Well, it means anyone could potentially use Google to search sites which you use, and come up with a possible list of your passwords of choice. Scary huh.
You can use this handy little utility to check the security of your own passwords, and whether they are likely to be easily found by potential hackers. If any results come up after you have copied and pasted in to Google, it’s time for a quick refresh of your passwords.
Related Posts:
