What we are talking about here is misconfigured websites where sensitive information has accidentally or carelessly been made publicly available. The vulnerability has nothing to do with Google, and might well have been found anyway; all the search engine does is make such sites easier to enumerate. Blaming the search engine here is like blaming obituary notices for exposing grieving widows to con artists. (And even if you do feel like blaming the search engine, it's not specific to Google, except in so far as Google is arguably the best search engine).

All but one of the listed attacks are trivially thwarted by the most elementary security precautions. All this really tells us is that a lot of folks are unable to deal with (or don't care about) even the most basic security precautions. The blame, if there is to be blame, is with companies that provide non-technical consumers with easy access to web publication services and then don't hold their hands through getting it correctly configured.

The one exception -- and the one Google is making some efforts to thwart -- is that use of an indexing service can, in principle, great increase the efficiency of worm propagation. Of course well written worms propagate pretty darn fast already (ISTR Witty took approximately 45 minutes to infect every vulnerable host in the world, by randomised propagation), so all this does is underline the fact that in the event of a major worm outbreak, there isn't time for humans to react.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11054/31737#31737