Ensure your web servers are configured to disable directory listing. Additionally, utilize the robots.txt file to explicitly instruct search engine crawlers which directories they are forbidden from indexing.
Google Dorking, or Google hacking, uses advanced search operators to find vulnerabilities. Search engines index public web pages by default. If a server is misconfigured, Google indexes its internal files too.
: Employees might upload password trackers to public forums, Trello boards, or code repositories like GitHub while trying to share other project assets. The Risks of Credential Leaks filetype xls username password email
Shockingly, some small businesses keep Excel files like customer_passwords.xls for "convenience." These might contain plaintext passwords for webmail, FTP, or CMS admin panels.
The risk is not theoretical. In a public blog post for the OSINT Team, a security researcher documented how they used a slightly modified version of this exact technique ( filetype:xls OR filetype:xlsx "username" "password" ). The result was the discovery of a live, indexed Excel file named dev_Bank_accounts_2024.xlsx hosted on a banking subdomain. This single file contained over 200 internal bank testing accounts, complete with plain-text usernames, passwords, first names, last names, ages, and marital statuses. Ensure your web servers are configured to disable
XLS, or Excel, is a popular file format used to store and share spreadsheet data. While it is widely used for legitimate purposes, it has also become a popular choice for sharing sensitive information such as usernames, passwords, and email addresses. However, using XLS to share sensitive information can have severe consequences.
: This operator restricts search results exclusively to Microsoft Excel spreadsheets. Search engines index these files if they are hosted on a publicly accessible web server. Search engines index public web pages by default
Emailing filetype XLS with sensitive information such as usernames, passwords, and email addresses can be particularly hazardous. Here are some reasons why:
If you were to run this search (which we strongly advise against without ethical authorization), the results would fall into several categories:
A user might upload the spreadsheet to a public cloud storage folder (like open Google Drive, OneDrive, or Dropbox links), an unsecured corporate FTP server, or a public-facing web directory.
: Narrows the results to files containing contact addresses, which are often used as usernames.