Monday, 9 October 2006

Google Code Search Can be Misused by Hackers

Google has inadvertently given online attackers a new tool. The company's new source-code search engine, which aimed to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said.

Unlike Google's main Web search engine, Google Code Search peeks into the actual lines of code whenever it finds source-code files on the Internet. This will make it easier for developers to search source code directly and dig up open-source tools they may not have known about, but it has a drawback.

"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," said Mike Armistead, vice president of products with source-code analysis provider Fortify Software.

For its part, Google did not have much to say about possible misuse of its new product. "Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement.