I. ABSTRACT

We can’t deny if one of the biggest dream for everyone that has so many contents at their site is to be indexed at top search engine in the world. In reality, we should realize that even the search engine could help us to “promote” our contents to public, the search engine itself could “betrayed” the site owner to leakage the information if those site owners doesn’t setup the blocking rules properly.

This kind of mindset was coming out with a good fact by the research that has been conducted by Ateeq Khan. At November 2013, he has shown the interesting vulnerability (Critical Information Disclosure) that exist at Microsoft Yammer product by using the main function of the search engine. With the “leakage” of token that has been indexed “accidentally” by search engine, then the Attacker at that time could use those information to login to the related account.

As we could see from the two side of function from search engine, in this simple paper, we also would like to talk about the same vulnerability (that Ateeq Khan found on 2013) at another big company, which is PayPal. The problem exists when PayPal and Xoom (PayPal Acquisition) didn’t setup the blocking rules properly to prevent the search engine to index the list of emails and few lists of transaction purpose that used by their users at their application. By using the simple dork (at Google or other), then we could easily enumerate those information.