How Did Yandex Discover a Private URL?
I recently set up a VPS server to provide a private service for an Appengine app. To test exception handling, I set up a test URL /boo.hoo/test, and visited it a couple of times with Chrome browser on Ubuntu to make sure things worked the way I expected. This URL has never been used by the app.
I forgot to remove the test code, and this morning (three weeks later) received an error message, which shows my exception handling works... except I hadn't visited the URL and I can't understand how anyone else knew it existed.
The request log shows (long sequences of base64 replaced with "..."):
46.42.171.81 - - [31/May/2018:06:40:12 +1200] "GET /boo.hoo/test HTTP/1.1" 401 3817 "http://yandex.ru/clck/jsredir?from=yandex.ru%3Bsearch%3Bweb%3B%3B&text=&etext=1804.R2Y-...&state=...&sign=...&keyno=0&cst=...&ref=...&l10n=ru&cts=1527705451111&mc=4.949890056" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 YaBrowser/18.2.1.174 Yowser/2.5 Safari/537.36"
So how did Yandex discover this URL?
8 comments
[ 2.3 ms ] story [ 19.1 ms ] threadAlso since Chrome is a Google product, you should expect they are logging what you do. So maybe Yandex has breached them? Yikes.
Other possibilities are somewhere in the network between you and the server, or somewhere in the Ubuntu networking stack(!). Maybe you thought of all these, but I'm mentioning them since you didn't.
Perhaps your ISP does the same thing and sells the data to Yandex?
We have only a handful of admins with access to this resource. It's possible one of them had a malicious extension I suppose, but even if they did, how did this leak to Yandex?
My colleague also found this discussion[0] recently, which reports a similar problem.
[0]https://www.webmasterworld.com/webmaster/4829663.htm
We also saw that this page was indexed by Yandex when we searched on their website. This page wasn't/isn't indexed by Google, Bing, DuckDuckGo etc by the way...