Caceres freely admits that malicious hackers could use PunkSpider to identify hacking sites. But he argues that scanners that find web vulnerabilities have always existed. This one just publishes the results. “You know that your customers can see it, your investors can see it too, so you’re going to fix that shit quickly,” Caceres says.
Caceres and Hopper’s conversations about Defcon represent the second incarnation of PunkSpider. The idea for the tool was born ten years ago, in the summer of 2011, while the hacker collective Anonymous and its chipboard group LulzSec were in the midst of data theft and savagery, which allowed most of them to be simple network vulnerabilities. (“Why is there SQL injection everywhere?”) He refrained one LulzSec tribute hip-hop song.)
Caceres then remarked that even relatively unsophisticated hackers seemingly had no trouble finding web bug fixes. He began to wonder if the only solution might be to detect any vulnerability online in mass cleansing. So in 2012, he started building PunkSpider to do just that; introduced it at the Shmoocon hacking conference in early 2013. His small research and development company, Hyperion Gray, also received funds from Darpa.
However, from the beginning, the project faced challenges. Shmoocon’s audience questioned whether Caceres allowed black cards to hackers – and whether it violated the Computer Fraud and Abuse Act in the process. Soon, Amazon was repeatedly withdrawing him from the Amazon Web Services account he used to run the search engine, after receiving reports of abuse from angry webmasters. He was forced to constantly create new burner accounts to keep working.
By 2015, Caceres had scanned the network for new vulnerabilities only about once a year. He fought to keep PunkSpider online and cover his expenses. Shortly afterwards, he let the project become obsolete.
Earlier this year, however, it was Hyperion Gray acquired QOMPLX, and the larger startup has agreed to revive a new and improved version of its web hacking browser. Now Caceres and Hopper say their redesigned tools run on a cloud-based cluster of hundreds of machines, capable of scanning hundreds of millions of sites a day – updating their results for the entire network on an ongoing basis or scanning destination URLs at the user’s request. The annual scan of the old PunkSpider of the entire network took close to a week.
Caceres declined to name his current hosting provider, but says he has reached an agreement with the company regarding the motivation of PunkSpider, which he hopes will prevent a re-ban of his accounts. It has also, albeit reluctantly, added a feature that allows webmasters to spot PunkSpider testing based on a user agent that helps identify website visitors, and has included an email address and a opt-out feature that allows sites to be removed from the tool searches. “Honestly, I’m not happy about it,” Caceres says. “I don’t like the idea that people can turn off security stuff and bury their heads in the sand. But it’s a matter of sustainability and balance.”
The reincarnated version of PunkSpider has already revealed real flaws on major sites. Caceres displayed WIRED screenshots that demonstrated scripting vulnerabilities at multiple locations in both Kickstarter.com i LendingTree.com. In the case of LendingTree, Caceres says the vulnerability could be used to create links that, if users could be tricked into clicking them, would place malware on the site or display phishing queries on its own LendingTree page. A Kickstarter error, Caceres says, would allow hackers to create a link that, if clicked by a victim, could similarly display phishing incentives or automatically make a payment from their credit card to a Kickstarter project.
“LendingTree uses multiple levels of control to protect our site and the confidentiality and integrity of consumer data,” the company said in a statement. “This includes web application firewalls, external penetration testing, and static / dynamic code review to identify and resolve vulnerabilities. In addition, we take all reported security vulnerabilities seriously and quickly investigate and resolve any issues found.” KickStarter wrote in an email to WIRED that it was “actively addressing” its network flaw.