Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bots Doing SQL Injection Attacks

Posted by Soulskill on from the it's-not-a-bug,-it's-a-feature dept.

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."

7 of 156 comments (clear)

  1. could not care less by Anonymous Coward · · Score: 5, Informative

    not just "could care less". Sheeesh.

    1. Re:could not care less by Anonymous Coward · · Score: 5, Funny

      Means the same thing irregardless.

  2. Uhh... by Anonymous Coward · · Score: 5, Insightful

    If you have http GET requests going (effectively) straight into your database, that's YOUR problem, not Google's.

  3. How about Yahoo "bots", Bing "bots" ? by Anonymous Coward · · Score: 5, Insightful

    TFA seems to place all the faults on Google.

    Fact is, Google is not the only one who is crawling the Net. Yahoo does it as well as Bing, among others.

    If the Google "bots" can be tricked into doing the "heavy lifting", so can the Yahoo "bots", Bing "bots", and "bots" from other search engines.

    1. Re:How about Yahoo "bots", Bing "bots" ? by _Sharp'r_ · · Score: 5, Insightful

      Why, it's not just bots! If you put a link out on a public web site, real people might even click on the link for you!

      Next you'll be suggesting that you could do that transparently to the user and have their browser re-use their already logged in session on another site to do things with their credentials for you!!!!

      What will they think of next? It's a good thing we have these wonderful stories to explain how this whole web thingy works with all it's links and stuff...

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  4. Re:HTTP RFC - Section 9.1 Safe and Idempotent Meth by Anonymous Coward · · Score: 5, Funny

    This is Slashdot. What do we know about GET HEAD methods?

  5. Skype too by gmuslera · · Score: 5, Interesting

    If Microsoft follows links shown in "private" skype conversations (and probably several NSA programs too) they could be used to attack sites this way. Could be pretty ironic to have government sites with their DBs wiped from a SQL attack coming from an NSA server.