Caceres freely admits that malicious hackers could use PunkSpider to identify websites to hack. But he argues that scanners that find web vulnerabilities have always existed. This one just makes the results public. “You know your customers can see it, your investors can see it, so you’re going to fix that shit fast,” says Caceres.
Caceres and Hopper’s Defcon talk marks the second incarnation of PunkSpider. The idea for the tool was born a decade ago, in the summer of 2011, as the hacker collective Anonymous and its splinter group LulzSec were in the midst of data theft and defacement rampage, much of which was made possible by simple web vulnerabilities. (“Why is there SQL injection everywhere?” went the refrain of one LulzSec tribute hip-hop song.)
Caceres noted at the time that even relatively unsophisticated hackers seemingly had no trouble finding a preponderance of web bugs. He began to wonder if the only solution might be to reveal every web vulnerability in a massive purge. So in 2012 he started building PunkSpider to do exactly that; he presented it at the Shmoocon hacking conference in early 2013. His small security R&D firm, Hyperion Gray, also received funding from Darpa.
From the beginning, though, the project faced challenges. The Shmoocon audience questioned whether Caceres was enabling blackhat hackers—and violating the Computer Fraud and Abuse Act in the process. Soon Amazon was repeatedly booting him from the Amazon Web Services accounts he used to power the search engine, after receiving abuse reports from angry web administrators. He was forced to constantly create new burner accounts to keep it running.
By 2015, Caceres was scanning the web for new vulnerabilities only about once a year. He struggled to keep PunkSpider online and cover its costs. Not long after, he let the project lapse.
Earlier this year, however Hyperion Gray was acquired by QOMPLX, and the larger startup agreed to revive a new and improved version of his web hacking search engine. Now Caceres and Hopper say their revamped tool’s scans are powered by a cloud-based cluster of hundreds of machines, capable of scanning hundreds of millions of sites per day—updating its results for the entire web on a rolling basis, or scanning target URLs at a user’s request. The old PunkSpider’s annual scans of the entire web took close to a week to complete.
Caceres declined to name his current hosting provider, but he says he’s worked out an understanding with the company as to PunkSpider’s motivations, which he hopes will prevent his accounts from being banned again. He has also, albeit reluctantly, added a feature that allows web administrators to spot PunkSpider’s probing based on the user agent that helps identify visitors to a website, and included an email address and an opt-out feature that lets websites remove themselves from the tool’s searches. “I’m not happy about it, honestly,” Caceres says. “I don’t like the idea of people being able to opt out of security things and bury their head in the sand. But it’s a sustainability and balance thing.”
The reincarnated version of PunkSpider has already revealed real flaws in major websites. Caceres showed WIRED screenshots that demonstrated cross-site scripting vulnerabilities in both Kickstarter.com and LendingTree.com. In LendingTree’s case, Caceres says the vulnerability could be used to create links that, if users could be tricked into clicking them, would host malware on the site or display phishing prompts on LendingTree’s own site. Kickstarter’s bug, Caceres says, would allow hackers to craft a link that, if a victim clicked it, could similarly display phishing prompts or automatically make a payment from their credit card to a Kickstarter project.
“LendingTree employs multiple layers of control to protect our site and the confidentiality and integrity of consumer data,” the company said in a statement. “This includes web application firewalls, outside-in penetration testing and static/dynamic code review to identify and remediate vulnerabilities. Additionally, we take any reported security vulnerabilities seriously and rapidly investigate and address any issues found.” KickStarter wrote in an email to WIRED that it’s “actively addressing” its web flaw.