Risk: Low
Google has recently released its Beta Code Search, enabling anyone to query a massive database of publicly available source code and filter results based on license and programming language.
This feature could allow an attacker to search for known or unknown vulnerabilities in the source code of applications. In a number of tests that NTA has performed, exposed source code of a web application has been observed; some accidentally, or in the case of some open source projects online, intentionally. This means that an attacker could search through huge numbers of sites looking for insecure functions or parameters. To minimise this risk, code reviews should be performed and developers and outsource partners should remain up to date with current web application vulnerabilities.
Google's Code Search website states: "Our goal with Code Search is to provide a useful resource for developers and help increase collaboration within the developer community. Unfortunately, tools that ease access to information for good can sometimes do so for bad ... but it's our strong belief that the positive impact outweighs the negative, a belief thankfully shared by many of you. We hope that Code Search will be used as a tool for solving security issues and helping people prevent exploits, since security through obscurity isn't really secure. In cases where we can help prevent certain malicious behavior, we'll do our best to do that."
Code Search certainly produces some interesting search results:
"highly confidential" produced 50 results
"bad code" produced 16,300 results
"broken code" produced 43,700 results