June 09, 2023

For the purposes of this article, the concept of a dork is perhaps not what you may first think. But, of course, we’re in the technology industry, so that will shed light on the context. In fact, there are now some modern uses for the term “dork,” and to help me explain, it may be helpful to begin on some familiar ground.

The Google search engine is something that many or most will use every day. This brings us to the idea of the “Google Dork.” A “Google Dork” is not simply a person who spends a lot of time on the internet. It is far more interesting than that. A “Google Dork” is a search query specially tailored to obtain sensitive information not readily available to an average user. Google Dorking or even Google Hacking is the common term for using a search engine for these purposes.

Google Dorking

This means of attack is now quite popular. Often, it may be the first step in finding an easy or soft target for a hack. The search strings to use are very simple. For instance, in the google engine, the syntax “filetype:log” in your search window will find log files. Also, “intext:” will find the text of your choice within that file. These terms, when combined, might look like this “filetype:log intext:password intext:(@outlook.com)”. This would search for outlook domain email accounts referenced in log files with passwords that may be exposed to the internet. This may sound farfetched and possibly a little too simple, but entire websites are devoted to helping people use this kind of hack.

See examples below:

The devotion to this means of attack is not limited to pre-written dorks. Even entire search engines are designed and tailored to seek out and exploit vulnerable devices using a “dork.” That includes identifying servers, applications, webcams, and almost anything online, which is impossibly easy to do.

Google Dorking for Vulnerabilities

So, why are we telling you any of this? This method can easily identify those exposed to one of the more recent Oracle vulnerabilities (CVE-2022-21500). Our investigations have revealed instances in which hackers have created privileged database accounts in client systems before the solutions we provided were implemented.

The search engine www.shodan.io is available to everyone, and just like google dorks, there are websites for shodan dorks which make them available to anybody who can use a keyboard:

As with google, simple search strings in the Shodan search engine can be entered with results returned immediately. In this case, they reveal exposed details by URL and i.p. address, which translates to your company name and location. If you’re shown to be exposed by those using shodan, then finding personally identifiable information such as client or employee names, email addresses, and more can swiftly follow.

Don’t Dork Around

For more information on this, the related security alert distributed by Oracle can be found here:

Along with the reference from the National Vulnerability Database, which rates the CVE as 7.5, High:

The vulnerability described in CVE-2022-21500 can be addressed through best practices in setting up the E-Business Suite. We help our clients achieve this as part of the Vulnerability Assessment we perform for clients when they are on-boarded with Spinnaker Support.

If you are one of our clients and do not know if you have completed the steps to secure your system, please log a ticket with our vulnerability support team to receive the white paper on CVE-2022-21500.

For more information, please visit our security page.

CIS SecureSuite Logo