: Instead of port forwarding, use a VPN to access your home network securely.
The inurl: operator is a Google advanced search command. It restricts search results to pages that contain a specific word or phrase within the actual URL (Uniform Resource Locator). For example, inurl:admin would find pages with "admin" in the web address, such as www.example.com/admin/login.php .
The Google search operator inurl:view/index.shtml is one of the most well-known and enduring "Google dorks" in existence. For nearly two decades, security researchers, ethical hackers, and unfortunately also malicious actors have used this simple search string to locate thousands of internet-connected security cameras that were inadvertently left exposed to the public. This is not a theoretical vulnerability or a complex exploit requiring advanced technical skills. It is, in many cases, the result of a single, fundamental oversight: failing to configure security settings on an IP camera before connecting it to the internet.
Instead of exposing the camera directly to the internet for remote viewing, require users to connect to a secure home or business VPN first. Once inside the encrypted VPN tunnel, users can access the camera using its local IP address. inurl viewshtml cameras
: When an exposed camera is found, it provides immediate steps to secure it, such as disabling Universal Plug and Play (UPnP) , changing default credentials, or setting up a VPN.
Industrial and residential security cameras do not inherently want to be public. They end up on public search engines due to a combination of architectural oversight and user configuration errors. 1. Missing Authentication
Running the search inurl:views.html cameras is technically legal in most jurisdictions because you are using a public search engine to find publicly accessible web pages. However, clicking on a link and viewing a live feed of a private individual without their knowledge or consent enters a legal and moral gray area. : Instead of port forwarding, use a VPN
: Many legacy network cameras, notably older models from brands like AXIS Communications , use Server Side Includes ( .shtml ) to display real-time video streams in a browser.
Never leave the factory-set username and password on any network-connected device. Use strong, unique passwords for every camera.
From an ethical and legal standpoint, "dorking" for cameras sits in a gray area. While the act of searching is legal, interacting with these systems—such as remotely zooming, panning, or attempting to bypass administrative logins—can cross into violations of privacy laws like the Computer Fraud and Abuse Act (CFAA) in the U.S. or the GDPR in Europe. For cybersecurity professionals, these open feeds serve as a stark reminder of the importance of "security by default." They illustrate that obscurity is not security; just because you didn't share your URL doesn't mean it can't be found. For example, inurl:admin would find pages with "admin"
You might see:
Today, the issue has not disappeared. In fact, it has grown dramatically in scale. In June 2025, security firm Bitsight published research revealing over streaming live footage openly on the internet with no passwords and no protections. These cameras were not limited to public webcams intended for general viewing. They included residential cameras watching front doors, backyards, and living rooms, office cameras disclosing whiteboards and confidential information, factory cameras exposing manufacturing secrets, and even public transportation cameras streaming passengers.