Google opened up a new search sevice called Google Code Search today. The new search allows you to search through a huge index of code that the Google search engine has crawled over the years. Being the curious beings we are, a friend of mine and I immediately started searching for passwords to see just how much Google was indexing. It didn’t turn up much in the way of anything “secret†until we refined our search to just wp-config files (the file that contains the database connection information for Wordpress installs). That worked. Since Google Code Search actually indexes the contents of compressed files like ZIP and TARBALL files, we were able to find copies of people’s wp-config files and several contained usernames and passwords. Here’s an example search. Now, this only pulls up 50 results (after filtering out the sample config files), but we only looked for Wordpress config files. Who knows what other similar files out there are being indexed and made public. So, a lesson to webmasters– don’t put anything you don’t want seen in a zip file on your server. Perhaps obvious to most, but worth repeating.
And a lot of people have the same friend as you: http://deathbycomet.com/2006/10/05/some-of-your-db-passwords-are-belong-to-us/ http://www.google.co.uk/search?q="B...+immediately+started+searching+for+passwords" Plagiarism is lame. Too bad I need to spread more red before giving it to you again. Copyright violation infraction on its way to you.