Make sure you noindex sensitive files

I had an unexpected opportunity to put my cyber security skills into action this week when I stumbled across some potentially sensitive information that was publicly accessible via a search engine.

© Ian Lamont (CC BY 2.0). Cropped.

In the course of some freelance work, I needed to verify the owner of an email address. The website on the address’s domain gave little away, so I decided to put it into Google to see if it would reveal anything to confirm that the owner was who they were supposed to be.

But on of the first results – a PHP file – was a little odd. I quickly realised that I was looking at a list of hotel bookings, including names, email addresses, dates, booking numbers, prices paid, and the name of any third-party booking websites that had been used as part of the transactions.

I’ve seen plenty worse, of course, but by scanning through the data you could put together certain stories (for example, that an employee of a well-known financial company booked six rooms), and nobody wants any of their financial details published online, even if they were just booking totals.

With this in mind, and also concerned that the site may contain other sensitive data, I took a look at the root domain. It turned out to belong to a mobile app developer, so I sent them an email to advise them of the issue, hoping that the company was still active and it wasn’t an abandoned site.

It was a discovery that reflected a commonly overlooked part of cyber security assessment: files uploaded to the web in the background, all but inaccessible from an organisation’s main site.

Remember that anything you upload to your business’s website is at risk of being accessed, even if you think nobody will find it. In this case, the data probably shouldn’t have been on the public web anyway, but if you do want to hide something, at least make sure you noindex it, or – better still – put it behind a login page where random people won’t stumble across it.

I’m awaiting a response from the developer, but will post an update if anything interesting happens.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Email this to someone