Sites on the so-called dark web are designed to protect the anonymity of both their visitors and owners. But plenty of administrators make mistakes in setting them up, sometimes leading to the server's real IP address being leaked, or they might leave identifying metadata in files uploaded to the site.
Now, a researcher has developed a custom tool for automatically scanning Tor hidden services for a slew of vulnerabilities and issues, meaning anyone, from dark web drug lords to people hosting whistleblowing platforms, can make sure that their site really is protected.
“I want anonymity tools to be the best; there are people whose lives depend on them,” Sarah Jamie Lewis, the independent security researcher who came up with the tool, told Motherboard in an encrypted chat.
“OnionScan,” as the program is called, checks sites for problems that may unmask servers or identify their owners. That might be an open server status page, which allows anyone to see what other sites are being hosted by the same person. Or there might be metadata in images on the site, revealing GPS coordinates of where they were taken. The first version of OnionScan will be released this weekend, Lewis said.
“While doing some research earlier this year I kept coming across the same issues in hidden services—exposed Apache status pages, images not stripped of exif data, pages revealing information about the tools used to build it with, etc. The goal is [to] provide an easy way of testing these things to drive up the security bar,” Lewis added.
It works “pretty much the same as any web security scanner, just tailored for deanonymization vectors,” she continued.
OnionScan is not subtle, however. “It is worth noting that the software is noisy; it needs to make a number of requests to download images and files,” Lewis said. “It sticks out like a sore thumb in logs.”
Lewis started her research with dark web markets, assuming that they would have developed some cool security features. “They have a huge economic incentive to be innovative in this space—assuming they aren't trying to scam people,” she added. Indeed, the marketplace AlphaBay has made it mandatory for vendors to use two-factor authentication.
“However, what I also found was many, many sites failing basic security practices like the above. So many that I started to write a tool to help me catalogue them—and this is where the tool came from,” Lewis said. “If so may of those sites are failing themselves and their users, I am willing to bet so are anonymous political blogs and other users who desperately need the anonymity.”
Other researchers have previously reported pretty serious problems with how hidden services have been configured. UK-based Thomas White discovered the IP address of the now-defunct Kiss Marketplace, as well as that of a dark web fraud market. In June of last year, White claimed to have gathered information on more than 500 sites, and the IP addresses of eight.
In future updates, Lewis' tool will also pull other potentially identifying data, such as PGP keys and comparing the different software used to generate them.