Finding Confidential Documents using Google Dorks
Hello everyone, hope you all are doing well. Today i am going to write about accessing confidential files using Google dorks. What i am going to write about has helped me in various bug bounty and responsible vulnerability disclosure programs as organization’s sensitive files were being leaked and in many cases secret government files were being exposed on the internet which were not meant to be publicly accessible, at least not before the specified file disclosure timeline. This was a blunder mistake but was timely corrected by respective RVD (Responsible Vulnerability Disclosure) programs specially by Department of Defense (DoD) on Hackerone.
WARNING: By using this Google dork i assume no responsibility of any work/act done by you and you are solely responsible for your work. Kindly act responsibly and disclose confidential files only to respective web system owners or authorities. Ex- DoD on hackerone (if you find any leaking document from a website owned by DoD). So let us begin now
This Google dork basically works for Amazon AWS s3 buckets hosted online. Dork → site:http://s3.amazonaws.com confidential OR “top secret” (http will also include results for https websites). This is a misconfiguration issue as confidential files are being leaked without any protection mechanism involved in order to restrict unauthorized access to such files. Now this Google dork works similar to other dorks used for pentesting. You can also club it with other dorks but remember: Google has limited the amount of keywords that you can search for to a total of 32 words. This means that all search term beyond the 32 word limit will not be taken into account in a search. Also there is a character limit per one keyword. A single keyword can not be longer than 2048 characters. For specific and accurate results use domain name with this dork to narrow down your search results. Ex- inurl:gov site:http://s3.amazonaws.com confidential OR “top secret”. You can also replace .gov extension to any other domain name however this works juicy with .gov domain.
I used this dork and found a popular smartphone manufacturing company’s annual expenditure and evaluation report being leaked which was labelled as “confidential” and was meant to be used for internal purposes. Here is a look of my modified Google dork → site:http://s3.amazonaws.com confidential | top secret | classified | undisclosed | , (you can add “inverted commas” in your dork for more accurate results). Adding samsung in search query returns:
If you know what to use and how to use this will help you in finding a crucial (not a piece but a whole chunk) of information hosted irresponsibly online. Again, act responsibly and report them to concerned authorities only. So that’s the end for now. Till next stay happy, healthy and keep smiling. Stay tuned for more informative stuff like this.
