Google Hacking (Google Dorking): Definition & Techniques

Google hacking (sometimes called Google dorking) is when hackers use search engines to identify security vulnerabilities. With a bit of time and search know-how, a hacker could figure out the best way to attack you.

Eliminating your site from Google isn't smart. Your customers need to find you, and most of them will head to search engines to do that. But you can take preventive steps to ensure that hackers can't find out how to attack you via Google.

How does a Google hack work?

A Google hack is a research session based on data you've made available to the public via a search engine. To protect yourself and your company, you must assess what you let Google see and what should be kept private.

Hackers could use any website for research. But since Google has a 90 percent market share, the company name has become synonymous with search. That's why we call this a Google hack rather than a simple search engine hack.

It might seem strange to use something like a search engine to spot security vulnerabilities. But unfortunately, this technique is incredibly effective.

Studies suggest that about half of all development teams push vulnerable code live because they've run out of testing time. During Google hacking, experts seek out every point of vulnerability.

They might look for:

  • Cameras. Do you have connected devices recording important movements?
  • Directories. Can people quickly find the names and contact information for important staff?
  • Passwords. Do you index folders filled with sensitive information? Do you encrypt that information?
  • Portals. Can people find your login landing pages?
  • Versions. Are you using software with known vulnerabilities? Do you resist downloading security patches?

Hackers use advanced search operators to make their work quicker and more efficient. When combined with the name of your site, these terms deliver pages or text that's very specific and easy to parse.

At the end of a Google hack, your opponent knows quite a lot about you and what you're doing to keep your company safe. That attacker can't launch an attack via Google, but the research could help that person plan their next steps.

Preventing Google hacking attacks

You’ll want to protect against this kind of attack. To start, encrypt all sensitive information, like payment information, usernames, passwords, and messages.

Then, use one of three Google tags on your content to direct the way search bots index (or skip) critical information.

  • Robots.txt: This tag can't block private content from indexation. But it could help if crawling is harming your server. 
  • Robots meta: Control how an individual HTML page appears in results, or keep it out of results altogether. 
  • X-robots-tag: Control how non-HTML pages appear in results, or block them from showing up.

Your web developer may have strong opinions about which tag is right for you and your company. Once you implement your chosen code, watch your traffic scores to ensure you're not keeping consumers away from pages they consider critical.

You can also use a vulnerability scanner to ensure that you don't expose files or pages that should remain hidden. OWASP lists several of these tools, and some come with free scans you can use before you buy.

Work with Okta

What if a Google dorking session has already happened? How can you protect your company?

Learn more about how you can boost your security with Okta.

References

How Google Retains More than 90 Percent of Market Share. (April 2018). Insider.

DevSecOps Study Finds That Nearly Half of Organizations Consciously Deploy Vulnerable Applications Due to Time Pressures. (August 2020). PR Newswire.

Robots FAQs. Google Search Central.

Vulnerability Scanning Tools. OWSAP.