A Controversial Tool Calls Out Thousands of Hackable Websites

Hackers have long found the web to be a safe haven, with hundreds of millions of servers available for them to search for vulnerabilities. One hacker tool is now about to bring that practice to its extreme: To scan every website on the internet to discover and publicly release exploitable flaws. All in the name making the web safer.Next week at Defcon hacker conference, Alejandro Caceres, Jason Hopper and Jason Hopper will release or upgrade and rerelease a tool called PunkSpider that has been in hiatus for many years. PunkSpider is essentially a search engine that continuously crawls the web. It automatically detects any hackable vulnerabilities and allows users to search the results to see sites vulnerable to anything from data leaks to defacement.PunkSpider creators claim it will catalogue hundreds of thousands of unpatched vulnerabilities and make them all publicly available. Caceres acknowledges that their tool could expose these sites to real-world attack. Hopper and Hopper agree. They hope visibility will make web administrators acknowledge the simple, obvious, and sometimes dangerous flaws of their sites, and hopefully fix them.Low hanging fruitsPunkSpider continues to find web vulnerabilities that are extremely common despite many warnings over the years. Security researchers discovered that one of these web vulnerabilities allowed anyone to take control of Fortnite accounts in January last year. A second web vulnerability was found earlier in the year by PunkSpider and allowed hackers to access Gab, a right-wing social media site, and leaked 70 gigabytes backend data. Both of these vulnerabilities have been fixed. Caceres believes that PunkSpider might encourage web administrators to fix these bugs before hackers abuse them."I thought, "Wouldn't it be awesome if I could scan all of the web for vulnerabilities?" To make it even more enjoyable, would it not be great if all the vulnerabilities were made available for free? Caceres works alongside Hopper as a researcher at cybersecurity startup QOMPLX. "I knew that it would have some implications. It was something I thought about a lot.PunkSpider will scan websites for seven types of exploitable bugs. It will repeatedly try different hacking methods to determine if the site is vulnerable. This includes SQL injection vulnerabilities which allow hackers to insert commands into website input fields, sometimes causing the website to spill its backend database contents; cross-site scripting vulnerabilities which let hackers create malicious links that load an altered version the website when the user clicks them; and path traversal vulnerabilities. Hackers can manipulate a site's URL in order to read or write sensitive files on the server hosting it. These vulnerabilities are considered low-hanging fruit by hackers, but they still exist in large swathes of the internet.I just hope people realize that we are trying to do the right things. Alejandro Caceres QOMPLXCaceres & Hopper created a site that allows users to search for URL keywords, vulnerability types, and severity. They have also created a Chrome plugin to check every website for hackable flaws. The browser plugin and search tool give each website a "dumpsterfire" score. This depends on the number of vulnerabilities and their severity. Caceres says that "PunkSpider detects vulnerabilities and does some backend work to determine if they are exploitable." "That last part is what I get a little bit shit for occasionally."The generally hacker-friendly Electronic Frontier Foundation stated in a statement that PunkSpider could lead to dangerous consequences. The tool has good intentions, but the vulnerabilities lead to real-world problems. Ransomware is one example. Administrators might have to fix them. However, we don't recommend it," Karen Gullo, an EFF analyst, wrote in an email to WIRED. "Bad actors can easily exploit vulnerabilities faster than administrators, which can lead to more breaches."