Google has inadvertently give online attackers a raw tool .
The company’snew seed - code hunting engine , unveiled Thursday as a putz to aid simplify life for developers , can also be misused to research for software bugs , password information , and even proprietary codification that should n’t have been place to the Internet in the first lieu , security experts said Friday .
Unlike Google ’s primary Web hunting locomotive , Google Code Search peek into the actual lines of codification whenever it get seed - codification files on the cyberspace . This will make it easier for developers to search source codification directly and get the picture up undefended - source peter they may not have know about , but it has a drawback .
“ The downside is that you could also use that kind of search to look for things that are vulnerable and then suppose who might have used that code snipping and then just go off away at it , ” suppose Mike Armistead , vice president of production with seed - codification analytic thinking supplier Fortify Software .
Attackers could also look codification for vulnerabilities in parole chemical mechanism , or to explore for phrases within software such as “ this file contains proprietary , ” possibly unearth source code that should never have been post to the cyberspace .
security department experts say that the protection significance of Google Code Search are noteworthy , if not world - shattering .
Skilled hacker may already be able to do this type of lookup with Google ’s Web hunting engine , but Code Search is “ another tool that micturate it a shade easy for the attacker , ” articulate Johnny Long , a protection researcher with Computer Sciences Corp , in an atomic number 99 - ring armor interview .
For its part , Google did not have much to say about potential misuse of its fresh product . “ Google recommends developer utilize in general go for good coding practices including understanding the implications of the computer code they implement and testing suitably , ” the company said in a instruction .
Google has never say much about the step it film to trim down on this form of misuse of its hunt railway locomotive , though the issue comes up from metre to clock time . In July , Websense used a little know binary hunting capacity within Google ’s hunting locomotive engine to await for malware on the Internet .
While Google Code Search will in all probability not have much of an outcome on popular candid - reference projects , which are already heavily scrutinized , it could help ferret out out vulnerabilities in less know pieces of code , grant to Lev Toger , a software program developer with Beyond Security .
“ Using Google ’s codification search , it ’s much easy to find interesting codification portions , ” he said via e - chain mail . “ If your task is to find vulnerability in some random code , this filtering can redeem you a lot of clock time . ”
