Re: New google's top query?

[Justin Wheeler <bugtraq@xxxxxxxxxxxxxx>]

It's also worth noting that the vast majority of the cards supplied via 
this method, even when it isn't riddled with "hey look what google can 
do!" messages, are test card numbers that are used only for testing online 
payment software, and won't work on live sites.

Also, most of the cards I found when I tested it came with no expiry, and 
9 times out of 10, online merchants also require the 3 digit verification 
code on the back of cards aswell.

Lastly, I'd like to point out, there's a good chance that if the card has 
made it into the public domain, someone else has probably already 
exploited it, and any attempt to use it yourself would be nothing more 
than blatant stupidity, as the card is likely already been cancelled, and 
being monitored for more fradulent activity.

Google is doing nothing, and doesn't need to change anything.  If they do, 
what would be next, they have to locate people's names and scratch them 
off because they might be under the witness protection program?

Regards,
Justin Wheeler

--
I hit the CTRL key but I'm still not in control!

On Mon, 23 Aug 2004, Alex Keller wrote:

> Re: New google's top query?
>
> this "hack" (really a numrange search) was covered at DEFCON12 
> (http://www.defcon.org/html/defcon-12/dc-12-index.html) and widely known 
> before it was publicized by Johnny Long (http://johnny.ihackstuff.com/) 
> during his talk at the conference (to his credit, he did NOT release the 
> exact syntax BTW). following that search now will yield little sensitive 
> info, as most of the affected sites have removed the pages that demonstrated 
> this security breach. Google is well aware of the malicious activity that can 
> be aided with their search engine....but they are in a bit of a predicament 
> between notions of security and freedom; a common juxtaposition in politics, 
> social order, and network security.
>
> this forum at Johnny's site has plenty more search "hacks":
> http://johnny.ihackstuff.com/index.php?module=prodreviews
>
> for further investigation and vulnerability testing, check out Foundstone's 
> SiteDigger: 
> http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm
>
> Athena is another powerful Google digging tool that can expose search 
> vulnerabilities; although i can't seem to find a working download site right 
> now. you can grab the entire DEFCON12 iso (457MB) at:
> http://130.212.20.4/admin/defcon/defcon12.iso
> Athena can be found in the directory "Long".
>
> happy Google hunting...oh yeah, don't be an idiot and use this info for evil.
>
> -alex
>
>
> other
> Jérôme ATHIAS wrote:
>
> > Hi,
> >
> >
> >
> > i don't remember to have seen this info here...
> >
> >
> >
> > If information is knowledge and knowledge is power, then Google must be all 
> > powerful. I say this because of the thing you can find on Google if you 
> > know how to look for them. A new Google hack has come to my attention that 
> > brings back some information that is a bit troubling. I must say that it is 
> > also good for the more you know about something the better you are to act 
> > upon it. The hack is this:
> >
> >
> >
> > http://www.google.com/search?q=visa+4356000000000000..4356999999999999
> >
> >
> >
> > When this query is put into the Google search, an idea of the brut strength 
> > of Google becomes apparent. You can find things like this, which may worry 
> > you if you found your name on it.
> >
> >
> >
> > Im not really sure if Google knows what it can do, but they take an 
> > interesting stance toward their provision of data.
> >
> >
> >
> > Regards,
> >
> > Jérôme