Wednesday, August 27, 2008

Original URL: http://www.theregister.co.uk/2008/08/22/accessing_restricted_sites/

That password-protected site of yours - it ain't

Published Friday 22nd August 2008 18:16 GMT

It's one of the simplest hacks we've seen in a long time, and the more elite computer users have known about it for a while, but it's still kinda cool and just a little bit unnerving: A hacker has revealed a way to use Google and other search engines to gain unauthorized access to password-protected content on a dizzying number of websites.

While plenty of webmasters require their visitors to register or pay a fee before viewing certain pages, they are typically more than eager for search engine bots to see the content for free. After all, the more search engines that catalog the info, the better the chances of luring new users.

But the technique, known as cloaking, has a gaping loophole: if Google and other search engines can see the content without entering a password, so can you. Want to read this forum (http://forums.inkdropstyles.com/index.php?showtopic=4227) from the InkDrop Styles website? You can, but first you'll have to enter a user name and password. Or you can simply type "cache:http://forums.inkdropstyles.com/index.php?showtopic=4227" into Google. It leads you to this cache (http://209.85.141.104/search?hl=en&q=cache%3Ahttp%3A%2F%2Fforums.inkdropstyles.com%2Findex.php%3Fshowtopic%3D4227&btnG=Google+Search&aq=f), which shows you the entire thread.

The technique yields plenty of other restricted forums, including those here (http://209.85.141.104/search?hl=en&q=cache%3Ahttp%3A%2F%2Fpznetworks.com%2Findex.php%3Fshowtopic%3D3355%26view%3Dgetlastpost&btnG=Google+Search&aq=f), here (http://209.85.141.104/search?hl=en&q=cache%3Ahttp%3A%2F%2Fwww.chillcorner.com%2Findex.php%3Fshowtopic%3D1156&btnG=Google+Search&aq=f) and here (http://supex0.co.uk/xforums/index.php?showtopic=16).

Those in the know have been using the trick for years, but a hacker who goes by the handle Oxy recently made this post (http://hackforums.net/showthread.php?tid=25040) that shares the technique with the world at large. It reminds us of a similar approach for accessing restricted sites that involves changing a browser's user agent to one used by search engine bots.

The hack is one example of the security problems that result from the practice of cloaking. Robert Hansen, the web security guru and CEO of secTheory (http://sectheory.com/) recently alerted us to the compromised blog (http://www.blakeross.com/) of Blake Ross, the co-founder of the Mozilla Firefox project who recently went to work for Facebook. For more than a month, unknown miscreants have been using his site to host links to sites pushing diet pills and other kinds of drugs.

Thanks the some javascript magic, users who visit the site never see evidence of the compromise, i.e. the links are cloaked. But the image below shows what happens when javascript is disabled.

Screenshot of site with javascript turned off

We've contacted Blake about his website, but haven't yet received a response. Cleaning up the site ought to be as easy as updating his badly out-of-date version of WordPress. Addressing the shadowy world of cloaking will take a bit more work. ®

© Copyright 2008


Friday, August 1, 2008

Jerry Garcia Day Jerry Day
Join Our Mailing List
Email:
For Email Marketing you can trust

home

event

sponsors

about

directions

merchandise

press

past

links

contact

Welcome to the website for Jerry Day 2008 and info on the Jerry Garcia Amphitheater!


"Jerry Day is a civic and cultural event that celebrates one of the greatest rock guitarists of all time and San Francisco native son - Jerry Garcia. This event captures the true spirit of Jerry Garcia as we celebrate his legacy, the Jerry Garcia Amphitheater, and recognize his Excelsior roots. By uniting the diverse communities of San Francisco through Jerry's music, we are creating something extraordinary for Jerry's childhood neighborhood - the Excelsior District, McLaren Park, and the City and County of San Francisco."

"Happy Jerry Day to all!"

- San Francisco Mayor Gavin Newsom


SUNDAY, AUGUST 3rd, 2008
Noon to 6:00pm :: Doors open at 11:00am

Melvin Seals and JGB (3:30pm) [Website]

Workingman's Ed (12:30pm) [Website] [MySpace]

Stu Allen & Sandy Rothman Acoustic (2:40pm) [Stu's Info]

Loco Bloco (12:00pm)[Website]

THE JERRY GARCIA AMPHITHEATER
45 John F. Shelley Drive,
San Francisco [MAP]

JERRY DAY 2008 - Donor Info!

MAKE CHECK OUT TO: SAN FRANCISCO PARKS TRUST
MAIL TO: JERRY DAY COMMITTEE
6211 TELEGRAPH AVE. #33
OAKLAND, CA 94609
DONATE BY PHONE (CREDIT CARD, PAY PAL, ETC.): 415-272-2012
OR USE PAY PAY ONLINE:


JERRY DAY 2008 POSTER


Jerry Day Blog and Updates!


Jerry Day on NEN TV!

JULY 30TH, 2008
8:00 AM :: KFOG 104.5 MORNING SHOW

AUGUST 1st, 2008
8:00 PM :: 12 GALAXIES
2565 MISSION ST., SAN FRANCISCO
MONTANA SLIM, DJ DARKSTAR DAN
$1 FROM EACH TICKET SALE GOES TO JERRY DAY 2008! YEAH!