The Digital Voyeurs: What Happens When You Peek Through "view.shtml"?
This article is part of our "Google Dorking for Defenders" series. For more dorks, subscribe to our newsletter.
Example Attack: If the server is misconfigured, an attacker might request: http://target.com/view view.shtml?page=<!--#exec cmd="cat /etc/passwd" --> inurl view view.shtml
The Unintended Audience: A Glimpse Through "inurl:view/view.shtml"
. When indexed by Google, these pages allow anyone to view live camera feeds from around the world. Users have historically used this string to find a wide variety of locations, including: Public areas: Parks, ski resorts, and waterparks. Private/Professional settings: Classrooms, pet shelters, and neighborhood streets. Curiosities: The Digital Voyeurs: What Happens When You Peek
: The camera is accessible to anyone on the internet.
Privacy advocates argue that the existence of these queries demonstrates the failure of "security by obscurity." Just because a URL is hard to guess doesn't mean it is secure. The inurl:view/view.shtml query proves that obscurity is temporary. Once a specific vulnerability or default path is known, search engines index it, making it searchable for anyone with an internet connection. Example Attack: If the server is misconfigured, an
.shtml files were used for — a primitive dynamic content method. A view.shtml might include a timestamp, user IP, or run a CGI script to refresh an image — all without PHP or ASP.