Schneier on Security

A blog covering security and security technology.

« Torture Bill as C Code | Main | Airport Security Confiscates Rock »

October 10, 2006

Google's Code Search Feature

You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)

EDITED TO ADD (10/10): More info.

Posted on October 10, 2006 at 6:39 AM • 13 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I see google are already countering this. The example search for "file:wp-config.php username" returns censored results (1 - 1 of about 50).

Posted by: ergh at October 10, 2006 7:41 AM

Essentially, this will force a massive audit of existing internet code.

Posted by: Basil Berntsen at October 10, 2006 7:46 AM

If Google crawled to it, then it was "public", whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I'm not an expert.

I "own" open source software, it was indexed and the license is shown properly. I think it's great !

@Basil, I also think that this search engine will make developers aware of what is secret.

BTW, systems with hardcoded passwords are just begging to be compromised...

Posted by: Guillaume at October 10, 2006 8:06 AM

yeah, there seems to be many things to search on, it can only make the code better.

Posted by: bangbang at October 10, 2006 10:02 AM

@ergh:

If they do,they do so poorly. Just try searching for "username" inside "web.config" files.

Posted by: Dimitris Andrakakis at October 10, 2006 10:24 AM

Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.

Posted by: Basil Berntsen at October 10, 2006 12:23 PM

One of the best Google goodies mentioned at kottke.org isn't in the blog post linked to here, just on the kottke.org front page: search on "microsoft confidential". The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.

Posted by: Petréa Mitchell at October 10, 2006 5:28 PM

This sort of thing was going on 10 years ago...I remember doing an altavista search for "passwd" and getting a slew of hits.

Posted by: Erik W at October 10, 2006 9:36 PM

Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!

Posted by: Surprised at October 11, 2006 2:35 AM

@Surprised - huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.

Posted by: Jiminy at October 11, 2006 3:44 PM

@Jimmy,
It can also help code-reuse. Why roll your own when you can google it.....

Posted by: jhg at October 12, 2006 2:50 AM

It seems this has already been used to discover poorly secured--well, unsecured and poorly hidden--copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.

Posted by: Roger at October 13, 2006 7:45 AM

Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:

"phpMyAdmin" filetype:sql -demo -foobar
"table users" filetype:sql -demo -foobar
"mysql dump" filetype:sql -demo -foobar

Google code search isn't that good for finding userinfo, since it's not stored into JavaScript, but mostly in SQL, CSV, XLS files.

Posted by: Jungsonn at November 5, 2006 2:40 PM

Schneier on Security

October 10, 2006

Google's Code Search Feature

Comments

Post a comment

Search

Archives by Date