Google's Code Search Feature
You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)
EDITED TO ADD (10/10): More info.
You can use it to find usernames and passwords, confidential code, buffer overflows, and all sorts of other things. (Another news story here.)
EDITED TO ADD (10/10): More info.
Basil Berntsen • October 10, 2006 7:46 AM
Essentially, this will force a massive audit of existing internet code.
Guillaume • October 10, 2006 8:06 AM
If Google crawled to it, then it was “public”, whether the original authors wanted it or not. Google code search is a convenient way of getting information that is already there. There might be an IP issue here, but I’m not an expert.
I “own” open source software, it was indexed and the license is shown properly. I think it’s great !
@Basil, I also think that this search engine will make developers aware of what is secret.
BTW, systems with hardcoded passwords are just begging to be compromised…
bangbang • October 10, 2006 10:02 AM
yeah, there seems to be many things to search on, it can only make the code better.
Dimitris Andrakakis • October 10, 2006 10:24 AM
@ergh:
If they do,they do so poorly. Just try searching for “username” inside “web.config” files.
Basil Berntsen • October 10, 2006 12:23 PM
Guillaume, you are correct. The problem is that many sites with serious vulnerabilities no longer have a real developer working them. It takes a fair amount of skill to fix a vulnerability, and that means that many pages will remain compromised until the owners of the site have the resources (or cash) to fix it.
Petréa Mitchell • October 10, 2006 5:28 PM
One of the best Google goodies mentioned at kottke.org isn’t in the blog post linked to here, just on the kottke.org front page: search on “microsoft confidential”. The file advertised as the source code for MS-DOS appears to no longer be reachable, but there are still a couple of interesting results.
Erik W • October 10, 2006 9:36 PM
This sort of thing was going on 10 years ago…I remember doing an altavista search for “passwd” and getting a slew of hits.
Surprised • October 11, 2006 2:35 AM
Surprised to find Bruce Schiener linking to story about security by obscurity. Since when did Bruce start believing that public scrutiny for code is bad??!!
Jiminy • October 11, 2006 3:44 PM
@Surprised – huh? He is pointing out how Google is doing this. It is a positive thing for everyone. How did he say it was bad? He is supporting how google helps expose the public code to more eyes. More eyes = good != security by obscurity.
jhg • October 12, 2006 2:50 AM
@Jimmy,
It can also help code-reuse. Why roll your own when you can google it…..
Roger • October 13, 2006 7:45 AM
It seems this has already been used to discover poorly secured–well, unsecured and poorly hidden–copies of the source code to MS-DOS 6.0. Not exactly cutting edge, but still supposed to be secret.
Jungsonn • November 5, 2006 2:40 PM
Well, to my knowledge this could be done since Google exists. Just take Google for a spin with these queries:
“phpMyAdmin” filetype:sql -demo -foobar
“table users” filetype:sql -demo -foobar
“mysql dump” filetype:sql -demo -foobar
Google code search isn’t that good for finding userinfo, since it’s not stored into JavaScript, but mostly in SQL, CSV, XLS files.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
ergh • October 10, 2006 7:41 AM
I see google are already countering this. The example search for “file:wp-config.php username” returns censored results (1 – 1 of about 50).