Updates (Score 1)

Hey, I'm Gergely who found the hex method. First of all, Google did get back to me after Bennett put this up, I let him know. They said that they deemed it was not a bug, outside the bounty's scope. Someone else outside the security team fixed this though, but it is not eligible for a bounty, which is fair. They probably ignored my email on the security side as it was not relevant while some other googler fixed it in the meantime. Oh well. Pretty much what this boils down to is: I have found the bug in a system that was put in place to prevent these queries from going through. The filter could be bypassed, which got fixed now so it was indeed a bug. Whether the filter should be there is an entirely different question. I'd really like Google to not have any filters like this at all. Censoring is always a slippery slope, and might not be efficient. The current system sort of makes this attack harder, and is relatively harmless, unless you want to search for large number ranges (legitimately). You also say that these should not be put up on the internet, and I agree completely. Mostly these are not leaked by companies (come on, no one is that stupid). 99% of the data found are credit card trading forums, leaked keylogs, pastebins, other stuff malicious people put up. Script kiddies are very stupid, they might be infecting lots of machines with their malware but leave the logs in an indexable directory (I've seen this happen). A person here hacked together a google dork which works somewhat less reliably than the hex method but you can get pretty much the same stuff. I've came to the same result as he did (you can put together this dork in 5 seconds), but found it to be much less realiable than my method. In any case if someone wants to search for cc numbers they will be able to, no matter what google does. Security is very often not making things 100% secure, but raising the bar high enough so that the effort put into breaking in doesn't worth it.