Identity Theft With Google Code Search

Several blogs have pointed out that Google Code Search can be used to discover vulnerabilities in the indexed code. One can find SQL injection possibilities, potential buffer overflows and backdoor passwords. But it’s not just security holes in software that you can find.

One particular search I did revealed a file containing a particular person’s entire collection of usernames and passwords. It included several banking account numbers and passwords, SSNs for him and his wife, keys for popular software and mortgage payment details. Assuming the passwords hadn’t changed since, I had more than I needed to steal all his money and his identity.

Irony of ironies, the file was included, as plain text, in the source code package for a “secure password storage” product this person had written and posted to the web!

I sent him an email a couple of weeks ago, and he replied saying that some of the data was out of date, and he would change the rest. But it’s not easy to change bank account numbers and SSNs.

The RISKs: testing security software with confidential data; when working on software, not keeping the development version and the version you use separated.

2 thoughts on “Identity Theft With Google Code Search

  1. Using “(GET|POST|COOKIE|REQUEST)” is better than using “[GPC]”. It includes $_REQUEST (which is a combination of $_GET, $_POST and $_COOKIE) and excludes things like $_CPADMIN (one thing that does show up in the search results).

    (I hope that a tag is parsed properly, because otherwise it’ll stretch the page awfully.)