One thing I have noticed while auditing different “internal use only” systems, that are not available online. Is that although they are offline, their existence is freely sent to Google with their URL’s/IP addresses.
Namely a lot of developers tend to integrate something provided by Google or by some other vendor, be it some java script or fonts. As an example when you include some css provided by Google – every time someone loads an internal application, Google gets a request from the clients web browser which also includes the referring URL.
Just example of outbound request headers from a web-page including some style sheet info provided by Google:
host: fonts.googleapis.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/css,/;q=0.1Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://someportal.corp.inernal/css/main.css
The “referer” header can be easily be harvested from logs. So next time including external resources think about it if you want a 3rd party to know about your internal things.
Leave a Reply