Google is an extremely powerful search engine, in the sense that it will crawl, grab and remember whatever web pages and files that its crawlers come across in the Internet, no matter whether they’re intended for public viewing. Beside, Google also provides powerful search filters and operators to return accurate search results. Thus you can find many interesting results using Google, such as unprotected live webcam.

You can also search for passwords which accidentally expose in various files by using Google, especially the unprotected or improperly protected password information in plain text format that resides on a web server. Most serious security leak happens on misconfigured web server that shows directory listing or expose PHP code. Typical example is plain text passwords used by FrontPage, a simple Web publishing software provided by Microsoft which has now been discontinued. Nevertheless, somebody out there in the Internet is still using FrontPage, and continue to expose the passwords to the world via Google. Try the following search queries to search for FrontPage password stored in service.pwd file.

ext:pwd inurl:(service | authors | administrators | users) “# -FrontPage-“

Other examples include password.log and password.list, .inc files with PHP code that contain unencrypted usernames, passwords, and addresses for the databases authentication, usually MySQL (filetype:inc intext:mysql_connect), config.php used by hackers to hack phpBB forums (ext:php intext:”$dbms””$dbhost””$dbuser””$dbpasswd””$table_prefix””phpbb_installed”) and many many more. GHDB provides a long list (no longer available) of possible passwords that can be found via Google.

So, remember to check for your web server vulnerability to fix any security issue, threats and possible leakage. If you do not intend to publish the information to the Web and it’s for internal viewing only, use robots.txt to exclude all crawling and spidering by search engines.