Inurl+viewerframe+mode+motion+hotel+hot -

Contrary to what a black-hat hacker might hope, this search does not lead to hacked databases or credit card numbers. Instead, it leads to something far more invasive: unsecured, live-streaming security camera feeds.

Due to poor configuration, many hotels install IP camera systems for monitoring pools, lobbies, hallways, or back offices. When the administrator fails to set a password or disables authentication, the camera’s web interface is exposed directly to the public internet. Google then indexes these pages.

By using the inurl:viewerframe dork, one can find: inurl+viewerframe+mode+motion+hotel+hot

The "mode motion" part filters for cameras actively streaming movement, while "hot" seeks the live, currently refreshing streams.

Disclaimer: Running this search is not illegal (Google indexes public web pages). Clicking on the results to view a live feed of a private space without permission, however, likely violates the Computer Fraud and Abuse Act (CFAA) and ethical hacking standards. Contrary to what a black-hat hacker might hope,

This information is shared to protect potential victims, not to facilitate voyeurism.

If you manage a hotel, a hostel, an Airbnb, or any hospitality business with IP cameras, you must assume that dorks like inurl:viewerframe mode=motion hotel hot are actively being used against you. The "mode motion" part filters for cameras actively

Here is a 5-step security checklist:

Let us be unequivocal: Executing this search string with malicious intent is illegal in most jurisdictions.

Accessing a computer system (including a web-enabled camera) without authorization violates laws such as the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the UK, and similar legislation globally.