Slashdot Mirror

← Back to Stories (view on slashdot.org)

Project Un1c0rn Wants To Be the Google For Lazy Security Flaws

Posted by Unknown on from the always-blame-wordpress dept.

Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."

16 of 43 comments (clear)

  1. Almost useful by Anonymous Coward · · Score: 3, Interesting

    Ok, you've got Google's list of everything, Un1c0rn's list of everything unsafe. What I want is the subset of Google's list that is not on Un1c0rn's list.

    Someone hack together that metasearch tool and I'll (anonymously) support you.

    1. Re:Almost useful by ProjectUn1c0rn · · Score: 2

      That's insightful man ! Thanks, glad I came to collect ideas !

  2. Seriously? by DougOtto · · Score: 2

    The search engine on that site returned 7800 sites when I searched on a single IP address. Maybe the site is useful but the signal to noise ratio is WAY too low to bother with.

    --
    Solving Unix problems since 1989...
    1. Re:Seriously? by ADRA · · Score: 2

      Well to be fair, some hosting companies have like a million sites hosted off a single IP, so not exactly irrelevant unless you know its a buggy scanner. Maybe the introduction of better summarization and breakdown tools are needed to enhance the tool, but hell anything takes time to work well for public consumption.

      --
      Bye!
    2. Re:Seriously? by Iarwain+Ben-adar · · Score: 5, Informative

      Try putting quotes around your IP address. You'll get better results.

    3. Re:Seriously? by just_another_sean · · Score: 2

      Thanks, that did the trick. I too was getting a lot of results when searching for very specific host names. Quotes around either an IP or host name reduced the results to zero (which is obviously what I was hoping for!). And just to test further I put quotes around a random result that did show up in my initial searches and it just came up once, as expected.

      I wouldn't depend it as the only means of double checking a site but it's a good edition to the tool belt. And it should only get better if they don't get sued out of existence.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  3. I predict... by Chris+Mattern · · Score: 4, Insightful

    If it's actually useful in uncovering sites with security defects, the owners will all be facing criminal indictments before the year is out.

    1. Re:I predict... by ThatAblaze · · Score: 2

      Not if they don't make any money. Punkspider has been available for over a year now, and it does much the same thing.

  4. Usefullness Factor . . . by tiberus · · Score: 2

    Okay, so I want to visit a site. So I have to go search Un1c0rn to see if it's on the list? What about all the ad, video and other sites this sites gets content from? Seems like a plugin that uses data from the "your site is in a poor state" database would be much more practical. It could replace at risk content with a big WHOA! graphic...

  5. Project Un1c0rn? by fredrated · · Score: 2

    Was this named by a five year old?

    1. Re:Project Un1c0rn? by fahrbot-bot · · Score: 2

      Was this named by a five year old?

      Probably, and that "OMGP0n1es" was taken.

      --
      It must have been something you assimilated. . . .
  6. GCHQ by q4Fry · · Score: 2

    So the gchq.gov.uk site that is on there: Honeypot?

  7. Re:As is: worthless by just_another_sean · · Score: 2

    Try this: add quotes to your search

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  8. Re: As is: worthless by Teranolist · · Score: 2, Insightful

    Truly? Every second guy on /. is incapable of using a search bar correctly?

  9. Re:As is: worthless by just_another_sean · · Score: 2

    Yeah, that's what I was hoping for as well. Just to double check the quoting thing though, try this; do a search without the quotes, pick one "hit" from the results and then search for that with the quotes. The expected behavior is that you will get one result. That's what happened when I tried a couple of specific, quoted searches for host names and IP addresses that came back in previous, unquoted searches.

    As I mentioned elsewhere I wouldn't count on this alone but it's a good addition to the other tools used to check hosts for problems.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  10. Re: A publicity stunt that marred by busted search by ProjectUn1c0rn · · Score: 2

    The search functionnality is provied by a third-party software. That's what allows us to run quickly on such small hardware for now (fast indexing), but it's clearly not friendly with user inputs. We noted this is the main concerns about our users right now and will do some research on how to improve it ! Thanks