Google Used to Crack Password

By Greg McNevin

November 23, 2007: While investigating a hack attempt on his website, a security researcher from Cambridge University’s computer science has stumbled on a way to use Google as a password cracker.

When the depatment’s Light Blue Touchpaper Wordpress blog was compromised by a hacker recently, researcher Steven Murdoch decided to do a little detective work as he was checking out what the hacker had been up to.

Due to an SQL injection weakness in the Wordpress installation, the hacker was able to upgrade his account from a user with comment posting privileges to a full administrator. The account was disabled quickly by the security team, however, during the clean up Murdoch found himself intrigued by what password the hacker had been using.

There was an entry in the database for the password, however, it was encoded in the Message-Digest Algorithm 5 (MD5) format.

“I wrote a trivial Python script which hashed all dictionary words, but that didn’t find the target (I also tried adding numbers to the end). Then, I switched to a Russian dictionary (because the comments in the shell code installed were in Russian) but that didn’t work either,” writes Murdoch on the team’s blog.

Instead of spending time writing a more substantial password cracker, Murdoch turned to Google and searched for the MD5 hash in question (http://www.google.com/search?q=20f1aeb7819d7858684c898d1e98c1bb), turning up several results with the name “Anthony”, which turned out to be the password.

“Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them. I doubt, however, that they envisaged this use though,” adds Murdoch.

Comment on this story