Google Dork Password for Nuclear Regulatory Commission
I found a spreadsheet containing a nuclear materials database credential on Google. The technique used was very simple, but I have to wonder why such a document misplacement was overlooked. Maybe people are afraid to tell them they just stumbled upon a nuclear system fearing they might get disappeared. Well, I decided to contact them and hilarity ensued. The database was relatively benign, but the saga went on for a little longer than it should. This also resulted in my first interview for a major publication, The Guardian.
This was a fun one, from both a simplicity and a disclosure perspective. The dork itself was fairly simple:
ext:xls password inurl:nrc.gov
The first entry was a spreadsheet for a Nuclear Materials Embrittlement reporting database. Sure enough, there was a password to access that system in the sheet.
I contacted the NRC the same day alerting them to the issue. After some evaluation, they stated they did not think it was an issue. They said anyone could request access anyway, and the password was just to keep tabs on it. However, if something is worth putting a password on at all (even if just metrics), having it exposed violates that purpose. Furthermore, this indicates other sensitive information could be exposed as well in a similar fashion. Well, I was busy with work so I thought I would inquire further later.
(>1 year later)
When Full Disclosure went offline in March of 2014, I felt a little sorry for never having shared so many things, like this spreadsheet. When it was revived on SecLists shortly after I decided it needed a spruce of fun. So I posted this, much to the moderator’s displeasure (indicated by the fact no replies to the list under that thread went through, only direct messages).
It didn’t take long for the NRC to pull the file and replace it with an updated copy. I also got only two emails from the FD list. One was from an interested person for more details, another simply said “WHAT THE FUCK?” Turns out that interested person was from The Guardian, and I ended up in a little piece.
This was a simple find, but an interesting one due to the nature of the organization it affected. Regardless of its actual merits in posting, I figured it warranted an entry here if only because I can say “I’m Hon1nbo, as seen on The Guardian.”