While performing authorized audits (with permission), security researchers have uncovered shocking exposures using this exact search string.
In any search engine (Google, Bing, or Shodan), the inurl: operator instructs the search engine to look for the subsequent text exclusively within the URL of a webpage. For example, inurl:admin returns all pages that have the word "admin" in their web address (e.g., example.com/admin/login.php).
A researcher in 2022 used inurl:viewerframe mode motion install and found an IP camera facing a loading dock in Chicago. Not only was the video feed public, but the "install" page allowed full administrative access without a password. The researcher could pan, tilt, zoom, and disable motion alerts. The warehouse belonged to a logistics firm. A brief email to their IT department fixed the issue—but the exposure had existed for over two years.
When a device is exposed directly to the internet (port 8765 by default, or 80/443 via reverse proxy) without a login page or with default credentials, this string becomes visible to search engine crawlers. inurl viewerframe mode motion install
The string inurl:viewerframe?mode=motion is a specialized Google search command. It scans the internet for web servers (specifically IP cameras and DVRs) that have an unprotected interface page named viewerframe operating in motion detection mode.
It does not lead to a downloadable file. Instead, it typically leads to a live video feed of a security camera somewhere in the world.
To understand why inurl:viewerframe mode motion install is so effective, we need to look at the architecture of older webcam software. If an installer never changed the default settings,
Popular in the mid-2000s to early 2010s, software like WebCamXP 5 and Active WebCam allowed users to broadcast a webcam feed using a built-in web server. The default file structure for these applications typically includes:
If an installer never changed the default settings, the URL path remained predictable. This predictability is why inurl:viewerframe mode motion install works as a "Google dork."
Use robots.txt to prevent search engine spiders from indexing your camera interface. Add: However, note that robots
User-agent: *
Disallow: /viewerframe
Disallow: /install/
However, note that robots.txt is a suggestion, not a command, and it does not protect you from malicious scanners.
Another audit uncovered a webcam labeled "Nursery Camera" in Brazil. The motion detection mode was set to record clips to a public directory. An attacker could have downloaded weeks of video clips showing the daily routine of a family. The install directory contained the router’s public IP and the internal network layout.