Unbelievable news in the media: a 14-year-old kid hacks the server of a Canadian authority and downloads secret files. What sounds so incredible has less to do with the young man's hacking skills than with the ignorance of the employees and the inability of the IT department. Many people have a misconception about hacking in this area. Of course, they use strong passwords and take the usual precautions, but in return they ignore security holes that are actually part of the basics. We show an example of how it could theoretically affect every company and every blogger.
Let's assume that someone in an authority or a company wants to speed up the exchange of information between different sites. Therefore, documents are uploaded to the web server so that colleagues from other branches can access them directly via the web. For this purpose, a table of contents is created in HTML so that users can access the confidential files with a single click and search by name. To prevent unwanted access, this page is encrypted with a highly complex password, which only internal users receive. Is this sufficient?
Experts for information security can only shake their heads here. The password is useless if the files are not also stored in a folder protected by a password. Remember: a web server on which an internet page is hosted is like a hard disk that can be accessed from "outside". This also applies to all files that are stored there. Imagine you upload the file TOP-SECRET.PDF to the web server of XYZ-123.COM. Then the file can be opened by anyone who calls up XYZ-123.COM/TOP-SECRET.PDF with their browser. To do so, the user would have to know the exact URL, but this can be determined by certain search configurations even with Google.
So that means: In the above-mentioned Canadian authority, anyone could read these files the whole time who would have searched for them specifically. But it was only noticed when a child was caught doing so.
The same problem occurs for example in WordPress. A software that is used by many bloggers and companies. Many users upload files to the media library. The problem is: the plugin for the XML Sitemap registers these files and thus they can be indexed by Google. If the site operator then sets up a password-protected subpage to offer this content there exclusively, he believes he is in a deceptive security. The media are immediately reported to Google via the sitemap and even end up with the exact URL freely accessible on the net, where anyone can view them. You don't even have to learn how to hack them in order to be able to pick them up there.