Yesterday, Google Labs opened up the beta version of their CodeSearch search engine, giving way to an influx of pro-hack comments.

The, long awaited, CodeSearch facility enables users to lookup chunks of public source code, something thats sure to put the fjear mode : ON into the likes of Krugle, Codease and co.

Of course, pulling serverside source from webpages has been a dream of most hackers at one time or another, and Googles CodeSearch certainly lends its hand in doing so.

Consider the following search queries which will yield numerous results for unchecked GET variables, which could prove useful when employing Cross Site Scripting (XSS) attack vectors.

file:process.php "include($"

result: http://tinyurl.com/rrmh2

"include($_GET"

result: http://tinyurl.com/rdpl9

Not to mention the insertion of the following regex which outputs a mediocre 22,500 email addresses - making Google CodeSearch every spammers wet dream.

(Chris McClelland, of AJAXPress. stating over 11million emails from the string “@” - funny, we only found 9.5million, and half of those were not email related.)


^[a-zA-Z]([.]?([[:alnum:]_-]+)*)?@([[:alnum:]\-_]+\.)+[a-zA-Z]{2,4}$


result: http://tinyurl.com/ftz3u

Further, Google CodeSearch could prove to be somewhat of an engine for distributing “bad” code to unsuspecting programming/scripting newbies. “Google Code Search could also prove to be a tool for malware writers to distribute their code”, Adds Google Blogs, Steve Bryant, with a bit of realism to the whole security issue.