Schneier on Security
A blog covering security and security technology.
« Torture Bill as C Code |
| Airport Security Confiscates Rock »
October 10, 2006
Google's Code Search Feature
You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)
EDITED TO ADD (10/10): More info.
Posted on October 10, 2006 at 6:39 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I see google are already countering this. The example search for "file:wp-config.php username" returns censored results (1 - 1 of about 50).
Essentially, this will force a massive audit of existing internet code.
If Google crawled to it, then it was "public", whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I'm not an expert.
I "own" open source software, it was indexed and the license is shown properly. I think it's great !
@Basil, I also think that this search engine will make developers aware of what is secret.
BTW, systems with hardcoded passwords are just begging to be compromised...
yeah, there seems to be many things to search on, it can only make the code better.
If they do,they do so poorly. Just try searching for "username" inside "web.config" files.
Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.
One of the best Google goodies mentioned at kottke.org isn't in the blog post linked to here, just on the kottke.org front page: search on "microsoft confidential". The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.
This sort of thing was going on 10 years ago...I remember doing an altavista search for "passwd" and getting a slew of hits.
Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!
@Surprised - huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.
It can also help code-reuse. Why roll your own when you can google it.....
It seems this has already been used to discover poorly secured--well, unsecured and poorly hidden--copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.
Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:
"phpMyAdmin" filetype:sql -demo -foobar
"table users" filetype:sql -demo -foobar
"mysql dump" filetype:sql -demo -foobar
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..