Not just vulnerabilities leading to web defacement, search engines reveal vulnerabilities to launch all kinds of attacks. In fact, hackers have used search engines to get such clues about contents of a site or how it was built for quite some time now.
One really appropriate search query can come back with several results showing a number of vulnerabilities. So all hackers really need is a web browser and a search engine, to look for websites with exposed pieces of information that can be exploited. This method of finding vulnerabilities is so effective that ethical hackers who try to penetrate sites to check their security also use search engines to discover vulnerabilities.
Examples cited in recent articles are back-up files and source code that is stored as HTML files, embedded comments containing passwords.
The problem is that most website developers are taught to make efficient and functional pages through correct coding but are not taught secure coding.
In fact, hackers using search engines to find these vulnerabilities cannot even be traced. Then the potential hacker queries to find vulnerability, the search engine will put all the targeted files into the search engine cache, which does not have the hacker’s IP address, very effectively covering their tracks.
A search engine will need to severely limit its functionality to thwart such hackers. Given the point we have reached with respect to information accessibility through the use of search engines, we cannot expect search engines to do so. In fact, if one search engine simply began to limit its functionality in the name of better security, hackers would turn to other search engines as an alternative. The onus, evidently, is not on the search engines, but is on the website creators to make sure their sites are secure. Typically, attackers do not look to target a specific site, but only have an end goal in mind, like stealing credit cards details etc.
Search engines give hackers tremendous power because hackers can see anything on the site that it interesting to them through search engines. A single portion of the page like a string of text can give a clue if the site is vulnerable. All the hacker then needs is an application source code which makes exploitation all the more easy.
