1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Text file warning! - be sure an secure them.

Discussion in 'White Hat SEO' started by aftershock2020, Jun 9, 2010.

  1. aftershock2020

    aftershock2020 Senior Member

    Joined:
    Oct 19, 2007
    Messages:
    981
    Likes Received:
    477
    Just a heads up here folks.

    If you use .txt files to store crons, lists, data, etc. ... This is specifically for you, as a security warning. Because all spiders are able to see/read all languages for processing website indexing, there is a major security hole here.

    Sure, it could be said of any file within a site that you can get the extension of, however, you can go directly to and download these documents for your own use or for someone to download and use against you.

    Here is an example:

    http://www.google.com/robots.txt


    It isn't anything critical but if you use a cart, journal, even your own control panel's cron jobs. A lot of those systems post records in .txt file format. They are right there for anyone to collect whatever information is on them for their use and abuse.

    Search your own ' domainnamehere.com + .txt ' and see what comes up under your domain to see what may be sticking out like a sore thumb for anyone that wants to take that kind of information from you.

    For standard security practice, most people know to check their file link extensions but for those that don't, I recommend that you start.

    Hope this helps a few of you.
     
    • Thanks Thanks x 2
  2. GreyWolf

    GreyWolf Executive VIP Jr. VIP

    Joined:
    Aug 17, 2009
    Messages:
    1,930
    Likes Received:
    5,387
    Gender:
    Male
    Occupation:
    Artist / Craftsman
    Location:
    sitting at my PC
    Yeah thats a good idea. Most of my sites don't have much to worry about I think, but I'm going to do some google searches as you suggested just to be sure. I think I especially on my wp sites and membership scripts. Who knows what files are being produced by different scripts. lol
     
  3. ipopbb

    ipopbb Power Member

    Joined:
    Feb 24, 2008
    Messages:
    626
    Likes Received:
    844
    Occupation:
    SEO & Innovative Programming
    Location:
    Seattle
    Home Page:
    Holy shit! Looks like the gstatic sitemaps can be used to create a mailing list of all gmail accounts with a profile!

    http://www.gstatic.com/s2/sitemaps/profiles-sitemap.xml

    sample from url above
    Code:
    http://www.gstatic.com/s2/sitemaps/sitemap-000.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-001.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-002.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-003.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-004.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-005.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-006.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-007.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-008.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-009.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-010.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-011.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-012.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-013.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-014.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-015.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-016.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-017.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-018.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-019.txt 2009-10-08 http://www.gstatic.com/s2/sitemaps/sitemap-020.txt 2009-10-08

    A sample from each of those
    Code:
    http://www.google.com/profiles/110380198747539293209
    http://www.google.com/profiles/102587397845958499690
    http://www.google.com/profiles/117411322087358319984
    http://www.google.com/profiles/102179076803494681641
    http://www.google.com/profiles/100989118311800957108
    http://www.google.com/profiles/100333602947571884691
    http://www.google.com/profiles/112528851519589172697
    http://www.google.com/profiles/118389468746785752547
    http://www.google.com/profiles/101567479542690738735
    http://www.google.com/profiles/103569355815829414308
    http://www.google.com/profiles/111513306839236909626
    http://www.google.com/profiles/115939073975077571524
    http://www.google.com/profiles/105351841198484404178
    http://www.google.com/profiles/106053475961563253086
    http://www.google.com/profiles/112928719072226825785
    http://www.google.com/profiles/115295714914556431572
    http://www.google.com/profiles/115741693014239963778
    http://www.google.com/profiles/112697577140171902824
    http://www.google.com/profiles/115150714325359326144
    http://www.google.com/profiles/100243490364747879181
    http://www.google.com/profiles/113216685799163964957
    http://www.google.com/profiles/115590855337007319817
    http://www.google.com/profiles/110591908147207323382
    http://www.google.com/profiles/101583284343346087821
    http://www.google.com/profiles/106656067662833985042
    http://www.google.com/profiles/110830106930467304447
    http://www.google.com/profiles/103711427164919933364
    http://www.google.com/profiles/109920132456756510588
    http://www.google.com/profiles/106936301215478571931
    http://www.google.com/profiles/108422140511719447920
    http://www.google.com/profiles/110871605335661341564
    http://www.google.com/profiles/103337710285485033498
    http://www.google.com/profiles/100215723225674687041
    http://www.google.com/profiles/100687052420224652503
    http://www.google.com/profiles/105232900091888367137
    http://www.google.com/profiles/103030545698066554656
    http://www.google.com/profiles/116844691869416520078
    http://www.google.com/profiles/109251830863054060119

    Code:
    http://www.google.com/profiles/105617776816027836477
    
    turns into http://www.google.com/profiles/jofreitas
    
    note the account in the URL.... some require you to go as far as the report this profile to decode. Some international ones are encoded... perhaps base 64 or unicode or something...
     
  4. aftershock2020

    aftershock2020 Senior Member

    Joined:
    Oct 19, 2007
    Messages:
    981
    Likes Received:
    477
    And that would be my point about the problem...lol.
     
  5. mofaux

    mofaux Regular Member

    Joined:
    Apr 15, 2010
    Messages:
    276
    Likes Received:
    293
    Occupation:
    I work for the man.
    Location:
    DC
    Last edited: Jun 11, 2010
  6. aftershock2020

    aftershock2020 Senior Member

    Joined:
    Oct 19, 2007
    Messages:
    981
    Likes Received:
    477
    Of course it has, as most of this stuff has. Take note that this is a post for newcomers that may not have this information. The point is to offer the information so that it is used to protect themselves and their site properties.

    Keep an open mind, as what is old and known to you once wasn't and is still new and unknown to those just starting out. Anyone that has been working on the internet and working with proper website security knows about this already, or at least they'd better for their own sake.