Security researcher Sarah Jamie Lewis developed and released a software called ”OnionScan”, which ”lets you scan it automatically for common vulnerabilities and errors that can de-anonymize the owner or users.”
When Lewis first discovered the dark web, she started looking at the current dark net markets and found out that most of these websites are quite vulnerable. However, the point of these domains should be to provide anonymity to the buyers and sellers at the market, as well as to the admins. While hidden services are not vulnerable at many points that normal (clearnet) domains are, they still have much to improve. According to Lewis, the most common mistakes are made by operators of the dark net markets. Lewis calls attention to frequent misconfigurations in the servers that leave important administrator pages accessible. This can reveal the tools used to build a site, as well as other services run by the same party. Also a common issue to see images that have not been stripped of EXIF data, which can include the device they were taken with and even the location they were taken. Abusing these bugs or mistakes, someone can easily identify the owner of the hidden service, which could result in the arrest of the person.
OnionScan checks a hidden service for all potential issues so they can be solved by the website admins. Lewis notes that it is not exactly a ”subtle tool”, the program will ping a service repeatedly to download various images and files for test.
According to Lewis, the whole OnionScan project is not about the protection of illegal dark net markets. She made this statement regarding this matter:
„Privacy is important even if some people use it to do illegal things. There are plenty of private sites and political blogs hosted on the dark web because the owners need that privacy and security.”
Note: Just before publishing this post i came across this post from Joseph Cox on motherboard, who used onionscan to test all the dark net markets listed on DeepDotWeb, and found that eight illegal sites that are leaking potentially identifying information about their owners.