Lazy developers who copy solutions to tricky programming problems are creating apps that are vulnerable to attack, research suggests.
A team of computer scientists looked at more than 72,000 chunks of code found on the Stack Overflow website.
The site is popular with developers seeking advice on the best way to fix broken code.
But researchers found many of the most copied snippets lacked basic checks that would stop common attacks.
The dangerous code chunks often used obsolete functions, did little to check user responses and did not look for attempts to break the application, said the study. Security risks
The researchers, also trawled through a website where many developers upload and share the code behind their apps and programmes.
The most widely used insecure code blocks turned up in more than 2,800 separate projects on the Github website, they found.
The research team, involving experts at Canadian and Iranian universities, focused on the C++ programming language, which is used in a huge variety of projects, from small programs to large distributed systems.
The team informed those they found using the problematic code chunks on Github that they may have introduced security risks into their apps and programmes. The hard way
But only 13% of the developers contacted said they had fixed the code, the researchers said. A similar number declined to fix the bugs.
Some 40% said the code was safe because users could not change it once an app was running.
"The people who are using Stack Overflow, they shouldn't trust it fully," said Prof Ashkan Sami, a computer scientist at Shiraz University in Iran who co-wrote the study.
"It's better for programmers to do it the hard way and learn secure coding," he told The Register tech news site.
Prof Sami said the team had developed an extension for the Chrome browser that checks when code is copied from Stack Overflow and lets coders know if it is poorly written or insecure.
Morteza Verdi, Ashkan Sami, Jafar Akhondali, Foutse Khomh, Gias Uddin, Alireza Karami Motlagh (Submitted on 3 Oct 2019)
Software developers share programming solutions in Q&A sites like Stack Overflow. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 69 vulnerable code snippets categorized into 29 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 69 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allow Stack Overflow users to check for vulnerabilities in code snippets when they upload them on the platform.