Remix.run Logo
edoceo 5 hours ago

I've been working on a site. It's new, domain is only a few weeks old. It's got SSL, so all the bots know it exists. It's never had any sub-pages exposed, just the placeholder lander, no links.

Somehow in Google search one of the unguessable pages is indexed. We have used Claude and Gemini to assist with some design aspects.

I'm thinking some aggressive data ingestion/indexing is happening by all the bots in the quest for frontier models.

resonious 4 hours ago | parent | next [-]

I've also seen Google indexing pages with random values in the path that don't get linked to statically (server asks for the URL then redirects to it immediately). I'm pretty sure they index straight out of the Chrome address bar.

st_goliath 4 hours ago | parent | next [-]

Yep. I remember a similar story as GP described from a friend back in 2008. The site he was working on that wasn't linked to yet was suddenly indexed after he checked out what it looked like in the fancy new "Chrome" browser that Google had just released, causing some moderate panic on his end.

morpheuskafka 4 hours ago | parent | prev | next [-]

This may have been part of this issue I found a few months back, as no other explanation for how UUID URLs got indexed was found: https://news.ycombinator.com/item?id=47769796

edoceo 2 hours ago | parent [-]

What the heck! That is terrible!

2 hours ago | parent | prev | next [-]
[deleted]
Vvector 3 hours ago | parent | prev | next [-]

This is why i use Firefox

foobarbecue 4 hours ago | parent | prev [-]

Holy crap I hope that's not true. I've also had unguessable pages indexed, though, and don't have an explanation.

FabCH 4 hours ago | parent | next [-]

It’s absolutely true. It is a documented fact. It was discovered and entered into public record during the DOJ antitrust investigation into Google Chrome.

They call the signal „popularity“ and it is a successor of the Google Toolbar signal.

https://www.justice.gov/opa/pr/department-justice-wins-signi...

NuclearPM 3 hours ago | parent [-]

> „popularity“

Why are you using weird quotes?

evilduck 2 hours ago | parent [-]

I'll take a wild guess and assume they are of a German or Polish language background. Wait 'til you encounter a French person who accidentally uses guillemets if you want one even «weirder».

robin_reala 2 hours ago | parent | next [-]

Or the Nordics ”like this” or the UK ‘like this’ or Japan 「like this」. Basically every country has their own standard: https://en.wikipedia.org/wiki/Quotation_mark#Summary_table

FabCH an hour ago | parent | prev [-]

Correct. Swiss German keyboard.

chasd00 3 hours ago | parent | prev | next [-]

This is why Chrome begs you to login constantly and will do it automatically when you login to Gmail through Chrome. Everything you do in the browser (bookmarks, settings, address bar) is data about you sent to Adsense. No need for cookies when you control the browser and know who is using it.

Edit: also private browsing isn’t exactly private when you’re logged in to the browser.

nicce 4 hours ago | parent | prev | next [-]

Something worth inspecting further. We know that Chrome stores and sends the browsing history but this is an interesting vector.

DANmode 4 hours ago | parent [-]

I’d be more surprised if they weren’t capturing this information.

Especially if you have autocomplete-while-searching type of features on.

EGreg 4 hours ago | parent [-]

Why don’t they also capture information you enter into forms on Chrome?

They control the entire browser surface, technically they can know everything, even TLS and E2E encrypted data, that they silently phone home…

If you think this is silly, consider that Microsoft Recall had been observing everything on people’s entire SCREENS and phoning home much of it. That is how a guy was caught recently: https://x.com/t3chfalcon/status/2074134314145489195

And it is actually much worse than even that:

https://community.qbix.com/t/increasing-state-of-surveillanc...

pixl97 3 hours ago | parent [-]

>Why don’t they also capture information you enter into forms on Chrome?

For some reason people are downvoting you, but yea, one day we'll likely see a lawsuit where they do exactly that.

3 hours ago | parent [-]
[deleted]
inigyou 4 hours ago | parent | prev | next [-]

There's no reason to think it isn't true. It matches every pattern of behavior observed from every tech company.

EGreg 4 hours ago | parent [-]

Why don’t they also read your gmail and get your bank passwords?

And maybe have access to EVERY site actually, with “forgot password” type stuff in addition to providing oauth tokens…

dbdr 3 hours ago | parent | next [-]

" Microsoft is scanning the inside of password-protected zip files for malware"

https://arstechnica.com/information-technology/2023/05/micro...

pjc50 3 hours ago | parent | prev | next [-]

The tools in gmail in some sense "read" all your mail in order to classify spam and do things like calendar integration. The extent to which they do other things with the information is .. unclear.

inigyou 3 hours ago | parent | prev | next [-]

Because your bank doesn't send your password to your Gmail because if they did they know Google would read it.

applfanboysbgon 3 hours ago | parent | prev | next [-]

> Why don’t they also read your gmail

Boy do I have news for you.

saghm 2 hours ago | parent [-]

Yeah, I thought it was pretty obvious that is literally the whole reason that Gmail even exists

3 hours ago | parent | prev [-]
[deleted]
jacekm 2 hours ago | parent | prev [-]

Chrome sends home the urls you visit together with the page performance data (and probably more). That's how they build Chrome User Experience Report (CrUX) for the most popular sites: https://developer.chrome.com/docs/crux

cynerx 4 hours ago | parent | prev | next [-]

Are you using Cloudflare by any chance? I think the Crawler Hints setting [1] exposed some of my "secret" pages in the past.

[1] https://developers.cloudflare.com/cache/advanced-configurati...

edoceo 2 hours ago | parent [-]

I'm not using cloudflare.

dreambigwrkhard 4 hours ago | parent | prev | next [-]

Depending on the CMS, if it's wordpress (15% chance, ha) there is a sitemap function built-in out of the box. The bots don't need to guess.

edoceo 2 hours ago | parent [-]

No CMS, no sitemap, no robots.txt either.

dataviz1000 3 hours ago | parent | prev | next [-]

The tin hat guess. Did you include Google analytics embedded in the pages? Do you navigate to pages and Google analytics sends that data home? 10 years ago I discovered that Google analytics would send the equivalent amount as organic users; meaning if we sent an email newsletter with links to articles, Google would send almost 1:1 ratio the same number of people from search results. They are tracking everything and using it for more than just reporting.

Do you use a CMS or other tools that auto generate sitemap.xml? Perhaps you unknowingly told Google about those sub-pages.

edoceo 2 hours ago | parent [-]

No GA, no external assets, no Google fonts. I really thought I was being careful.

pohuing 4 hours ago | parent | prev | next [-]

There's a couple avenues besides just stealing what's in your URL bar.

If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.

basilikum 3 hours ago | parent | next [-]

> HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.

HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.

brookst 4 hours ago | parent | prev | next [-]

For hosts, but not pages on the site.

But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.

fragmede 4 hours ago | parent | prev [-]

CT logs just explain how they found the domain. T doesn't explain how they could have found unlinked content on the domain itself. If I put up secret-example.com/asdf-1234567.html, how does that page get found if there are no public links to it?

pohuing an hour ago | parent | next [-]

True. I just assumed imprecise phrasing.

Google misusing chrome browser history as a hitlist for indexing sounds wild to me, so I tried to see if there's another way.

It also felt unlikely because there's multiple subdomains of mine that aren't indexed, and wildcards+no preload are the only precautions I've made myself for my private sites.

This might also be an EU vs rest of World thing, or my stuff isn't interesting enough to index(in retrospect the most likely reason I suppose)

Lomlioto 3 hours ago | parent | prev [-]

Don't underestimate people not knowing were they share stuff by accident.

Creating Sitemaps, sharing it somewere public, putting the url in some 3th party service, server logs, some indirect path in javascript.

But if you never mention that url, it will not be found if not leaked by your server.

saghm 2 hours ago | parent [-]

> But if you never mention that url, it will not be found if not leaked by your server

That sounds like a claim that security through obscurity is infallible, which is dubious. Don't get me wrong, it can be a reasonable part of defense-in-depth strategy, but like, brute force attacks are kinda a well known thing, especially if your URLs aren't truly random...

f311a 4 hours ago | parent | prev | next [-]

Google Chrome used to report visited pages back to Google, not sure if this still the case. Also, Google Analytics can see visited pages and Google uses it.

Finding domains is easy, everybody uses CTL to find them.

VladVladikoff 4 hours ago | parent | prev | next [-]

Google uses data from chrome. If you visited it with chrome, google knows it exists.

yread 2 hours ago | parent | prev | next [-]

I have about 50 subdomains. One was used by a colleague who cant do his shoelaces without claude. That subdomain gets 10 times more spam and hacking attempts.

malwrar 3 hours ago | parent | prev | next [-]

They log all DNS requests made to their public resolver in a searchable internal database, at least when I worked there a decade or so ago. I wonder if they seed their crawler with it?

Analemma_ 3 hours ago | parent [-]

DNS servers never see subpaths you request, only the domain itself, so that wouldn’t help with a hidden path. But there are lots of other ways to get it: caches/CDNs can leak paths, Chrome presumably sends Google a bunch of request details, and so on.

It’s a different story if it’s a subdomain though, OP wasn’t clear.

htek 4 hours ago | parent | prev | next [-]

Nothing you enter into an LLM not hosted by you, or put onto the web is safe from being collected and exploited by these "AI" companies and their LLM's voracious appetite.

mirekrusin 4 hours ago | parent | prev | next [-]

Isn't leaking browser extension used by one of people on the team (doesn't need to be developer, could be qa or anybody with whom the access was shared) more plausible?

animex 3 hours ago | parent | prev | next [-]

I've always wondered if Chrome leaks these URLs too.

phoghed 4 hours ago | parent | prev | next [-]

You ISP also collects and sells data to companies like Moz, and possibly to Google too.

soblemprolver 4 hours ago | parent [-]

URL paths over https wouldn't be transparent to the ISP though, would they?

throw10920 4 hours ago | parent [-]

They would not - GP was probably bringing up something not directly relevant, but still related. (they should have clarified though)

edoceo 2 hours ago | parent [-]

What can I add? I know the domain could be found. But how did Google index a page that is example.com/$MD5.html - guessing 128bit numbers is hard.

I have visited that page from a signed-in Chrome profile.

throw10920 an hour ago | parent [-]

Erm sorry when I said GP I meant of my comment - that is, phoghed's irrelevant comment about ISPs collecting data.

The information you mentioned is relevant. Unfortunately, it could be either Google/Chrome, or the LLM service you're using for development is misusing your data.

NDlurker 2 hours ago | parent | prev | next [-]

Hmm. Seems like this could be used for an ARG

4 hours ago | parent | prev | next [-]
[deleted]
DonHopkins 2 hours ago | parent | prev | next [-]

I've gotten unguessable hits in the logs because somebody who was authorized to use them had a virus that exfilterated their browser history.

Might have been an evil chrome extension, but ever since Google went IOK2BE ("It's OK to be Evil"), maybe it's just Chrome itself.

stavros 3 hours ago | parent | prev | next [-]

It's indexed some unlisted draft blog posts of mine that were never touched by AI or published anywhere. I use a static site generator so there's no earthly way they ever found the pages by scraping, at most I visited the pages once or twice from my browser.

brador 4 hours ago | parent | prev [-]

Chat programs catch links you send.

Also that browser setting to check urls are safe sends them out “sometimes“.