Google's Code Search Feature

You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)

EDITED TO ADD (10/10): More info.

Posted on October 10, 2006 at 6:39 AM • 13 Comments


erghOctober 10, 2006 7:41 AM

I see google are already countering this. The example search for "file:wp-config.php username" returns censored results (1 - 1 of about 50).

GuillaumeOctober 10, 2006 8:06 AM

If Google crawled to it, then it was "public", whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I'm not an expert.

I "own" open source software, it was indexed and the license is shown properly. I think it's great !

@Basil, I also think that this search engine will make developers aware of what is secret.

BTW, systems with hardcoded passwords are just begging to be compromised...

Dimitris AndrakakisOctober 10, 2006 10:24 AM


If they do,they do so poorly. Just try searching for "username" inside "web.config" files.

Basil BerntsenOctober 10, 2006 12:23 PM

Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.

Petréa MitchellOctober 10, 2006 5:28 PM

One of the best Google goodies mentioned at isn't in the blog post linked to here, just on the front page: search on "microsoft confidential". The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.

Erik WOctober 10, 2006 9:36 PM

This sort of thing was going on 10 years ago...I remember doing an altavista search for "passwd" and getting a slew of hits.

SurprisedOctober 11, 2006 2:35 AM

Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!

JiminyOctober 11, 2006 3:44 PM

@Surprised - huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.

RogerOctober 13, 2006 7:45 AM

It seems this has already been used to discover poorly secured--well, unsecured and poorly hidden--copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.

JungsonnNovember 5, 2006 2:40 PM

Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:

"phpMyAdmin" filetype:sql -demo -foobar
"table users" filetype:sql -demo -foobar
"mysql dump" filetype:sql -demo -foobar

Google code search isn't that good for finding userinfo, since it's not stored into JavaScript, but mostly in SQL, CSV, XLS files.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.