A search engine is a boon to life - it allows us to find the necessary information fast and easily. When the Internet first appeared, we had to wade through directories searching for the right websites, and now all you need to do is enter your query in a search bar, be it Google or Yandex.
Search is not only about search engines, we look for information about people on social networks, look for videos on Youtube, browse Wikipedia for fact-based information. It’s all very convenient and very dangerous.
This chapter doesn’t reveal how Google seeks to know everything about you, collecting and storing information about you, how the search engine may keep records about the searches you wished to delete. We will focus on these topics in separate chapters of the course. In this chapter, I will tell you about different dangers posed by search engines.
SMS message leaks
You probably have used or heard about the option to send free SMS messages through a telecommunications operator’s website. This service is popular in some countries, for instance, in Russia. By sending an SMS, you never assume that your text messages will be seen by anyone who wished to do read them.
The users of the Megafon website who used its free online SMS service never thought this could be possible until one day they could see the indexed text messages purged by the Yandex search engine from its cache. Yandex’s cache kept the dates, texts and phone numbers of the recipients of the messages.
The unfortunate users could put the blame on the sitemap of the Megafon website that didn’t contain the instructions that forbid indexing the contents of the websites with the information about the sent SMS and Yandex.Metrika. The website with the SMS wasn’t supposed to be available to anyone except for the sender who, by clicking the unique link, could see the information about the SMS sent and its current status. But in the end, they became easily available to view online for all Internet users who were quick to post all kinds of comments on the most lurid of these messages.
TipDon’t send text messages through websites. Overall, don’t send sensitive information using SMS.
When Russia’s most popular social networking site Vkontakte introduced the option that allowed document uploading, it was quickly picked up by users who found it very useful to share files with other users.
However, by default all the documents uploaded were set to public, and their titles were indexed by the internal search of the social networking site.
Thus the search results showed the photos of credit cards, scans of ID documents attracting fraudsters. Every day they found new documents by entering queries “credit card” or “ID document” and then sold the sensitive information on the dark market or used it in an illicit manner.
However, the scammers quickly found themselves on the receiving end when the issue of publicly available documents raised a public outcry. The hackers forged documents that contained malware and posted them on the social network disguised as users’ credit cards and IDs. Many scammers had to pay a hefty ransom to have their data unlocked.
TipIf you are posting a file or document somewhere, make sure that it is not visible to the public.
Private chat access leaks
Many users know that among other features the instant messaging service Telegram offers the option of private chats (groups). You can create a private chat, and no one except for the people you’ve invited can access it.
These chats contain personal information, sometimes corporate, confidential corporate data that are supposed to be known only to a restricted circle. To get access there, one need to get the administrator’s invite or click the secret link known only to the participants of the chat and…to the search system.
Unfortunately, the links to private chats weren’t protected from indexing, Google’s search system scanned them, and they became available to everyone. The problem was resolved only after an independent researcher discovered the vulnerability.
The researcher who found the weakness said that Telegram’s developers not only took too much time to answer him but didn’t even admit the scale of the problem. However, everyone who uses private chats to share sensitive information should have serious concerns about this huge oversight.