ergh October 10, 2006 7:41 AM

I see google are already countering this. The example search for “file:wp-config.php username” returns censored results (1 – 1 of about 50).

Guillaume October 10, 2006 8:06 AM

If Google crawled to it, then it was “public”, whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I’m not an expert.

I “own” open source software, it was indexed and the license is shown properly. I think it’s great !

@Basil, I also think that this search engine will make developers aware of what is secret.

BTW, systems with hardcoded passwords are just begging to be compromised…

Dimitris Andrakakis October 10, 2006 10:24 AM


If they do,they do so poorly. Just try searching for “username” inside “web.config” files.

Basil Berntsen October 10, 2006 12:23 PM

Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.

Petréa Mitchell October 10, 2006 5:28 PM

One of the best Google goodies mentioned at isn’t in the blog post linked to here, just on the front page: search on “microsoft confidential”. The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.

Erik W October 10, 2006 9:36 PM

This sort of thing was going on 10 years ago…I remember doing an altavista search for “passwd” and getting a slew of hits.

Surprised October 11, 2006 2:35 AM

Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!

Jiminy October 11, 2006 3:44 PM

@Surprised – huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.

Roger October 13, 2006 7:45 AM

It seems this has already been used to discover poorly secured–well, unsecured and poorly hidden–copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.

Jungsonn November 5, 2006 2:40 PM

Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:

“phpMyAdmin” filetype:sql -demo -foobar
“table users” filetype:sql -demo -foobar
“mysql dump” filetype:sql -demo -foobar

Google code search isn’t that good for finding userinfo, since it’s not stored into JavaScript, but mostly in SQL, CSV, XLS files.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.