Audiogalaxy + Google = Free Passwords!

by Marc Hedlund

Related link:

Is your Audiogalaxy password available on Google? Click here to find out.

A few weeks ago, I wrote about a serious security flaw in the Audiogalaxy P2P file-sharing client. Sidney Markowitz read the article, and, as he writes, he:

[...] got alarmed, and ran a Google search on
the words audiogalaxy loginusername.

Along with your article, which contains that string, were two matches that contained people's id and password. Google's web crawler apparently found the links in some kind of cache on a site misconfigured to make the cache public...

Good catch, Sidney. Google crawls the public Internet looking for Web resources to index. If confidential information like a username or a password is included in a publicly-accessible URL, it can show up in Google search results. Along with the risks mentioned in my original article, Audiogalaxy now has another good reason to fix their client.

I originally reported the security flaw to Audiogalaxy on July 16th, 2001, but I have received no reply from them in the month since. In addition, the client I downloaded from their site this morning (version 0.606W) still contains the flaw. As a result, I would very strongly recommend uninstalling Audiogalaxy if you are using it, and trying another filesharing client with a better attitude towards its users' security. And if your password is available from Google, change it quickly!


2001-08-20 14:35:38
I tried the google search and pulled up a hit. Clicking on the link took me to logged in as that user.