Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bots Doing SQL Injection Attacks

Posted by Soulskill on from the it's-not-a-bug,-it's-a-feature dept.

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."

5 of 156 comments (clear)

  1. Uhh... by Anonymous Coward · · Score: 5, Insightful

    If you have http GET requests going (effectively) straight into your database, that's YOUR problem, not Google's.

    1. Re:Uhh... by Anonymous Coward · · Score: 2, Insightful

      Suppose there is a way to mitigate this issue on Google's end, is there something wrong with taking action to reduce the amount of attacks, even if the website is at fault?

      Yes, there is something "wrong"- Google has no idea what is or is not a "malformed" request. You're basically asking Google to sanitize the database input, which is generally not possible if you don't know anything about what the database should or should not accept. adding something along the lines of 'user=root' or 'page=somekindofdata' to a query may be perfectly legitimate for one site, and a massive problem for a different one.

  2. How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · · Score: 5, Insightful

    TFA seems to place all the faults on Google.

    Fact is, Google is not the only one who is crawling the Net. Yahoo does it as well as Bing, among others.

    If the Google "bots" can be tricked into doing the "heavy lifting", so can the Yahoo "bots", Bing "bots", and "bots" from other search engines.

    1. Re:How about Yahoo "bots", Bing "bots" ? by _Sharp'r_ · · Score: 5, Insightful

      Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!

      Next you'll be suggesting that you could do that transparently to the user and have their browser re-use their already logged in session on another site to do things with their credentials for you!!!!

      What will they think of next? It's a good thing we have these wonderful stories to explain how this whole web thingy works with all it's links and stuff...

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    2. Re:How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · · Score: 0, Insightful

      A DDOS is, by definition, a deliberate attempt to knock a site off the net.

      Do readup on that definition please ...

      Something like a single botched update (causing clients to connect to the mothership) could cause the same effect. Heck, even the downloading of the newest Windows 8.1 operating system did cause problems -- very slow connections -- that could be considered a "denial of service". Online games on their release-dates often have the same problem. Another cause could be an "email storm" involving multiple clients.

      Nope, the definition of DDOS does not involve deliberation(/intention) at all.

      So, please do what you advocate yourself, and use your terminology correctly. ... And that goes double, as your parent was talking about DOS, not DDOS.