Google's Code Search Feature
You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)
EDITED TO ADD (10/10): More info.
Comments
Basil Berntsen • October 10, 2006 7:46 AM
Essentially, this will force a massive audit of existing internet code.
Guillaume • October 10, 2006 8:06 AM
If Google crawled to it, then it was “public”, whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I’m not an expert.
I “own” open source software, it was indexed and the license is shown properly. I think it’s great !
@Basil, I also think that this search engine will make developers aware of what is secret.
BTW, systems with hardcoded passwords are just begging to be compromised…
bangbang • October 10, 2006 10:02 AM
yeah, there seems to be many things to search on, it can only make the code better.
Dimitris Andrakakis • October 10, 2006 10:24 AM
@ergh:
If they do,they do so poorly. Just try searching for “username” inside “web.config” files.
Basil Berntsen • October 10, 2006 12:23 PM
Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.
Petréa Mitchell • October 10, 2006 5:28 PM
One of the best Google goodies mentioned at kottke.org isn’t in the blog post linked to here, just on the kottke.org front page: search on “microsoft confidential”. The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.
Erik W • October 10, 2006 9:36 PM
This sort of thing was going on 10 years ago…I remember doing an altavista search for “passwd” and getting a slew of hits.
Surprised • October 11, 2006 2:35 AM
Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!
Jiminy • October 11, 2006 3:44 PM
@Surprised – huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.
jhg • October 12, 2006 2:50 AM
@Jimmy,
It can also help code-reuse. Why roll your own when you can google it…..
Roger • October 13, 2006 7:45 AM
It seems this has already been used to discover poorly secured–well, unsecured and poorly hidden–copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.
Jungsonn • November 5, 2006 2:40 PM
Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:
“phpMyAdmin” filetype:sql -demo -foobar
“table users” filetype:sql -demo -foobar
“mysql dump” filetype:sql -demo -foobar
Google code search isn’t that good for finding userinfo, since it’s not stored into JavaScript, but mostly in SQL, CSV, XLS files.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
ergh • October 10, 2006 7:41 AM
I see google are already countering this. The example search for “file:wp-config.php username” returns censored results (1 – 1 of about 50).