A way of detecting if your site was hacked. Worth implementing?
I’m working on my own product which is a simple uptime monitoring tool, https://pingr.io.
Like any of the other founders, I’m trying to find what’s called USP = Unique Selling Proposition. Something which others don’t offer, something unique (if it’s possible at all).
Recently I came up with an idea which I want to share with you.
What problem do site owners have?
Case #1
I worked in a company that was developing a mobile app. We had a site which we used rarely. We needed this only for showing for potential investors, business partners, etc.
One day I wanted to check something out and visited the site. It was defaced. No one knew for how long it was defaced. Nobody actually was aware of the fact, because we simply didn’t have a reason for visiting the site often.
It still returned 200 OK status, so uptime monitoring won’t notify us.
Case #2
This is an artificial example I could think of.
Imagine there is a content site, whose owner has some copywriter. Every day copyrighters post some content.
We all know that the most used passwords are simple, like qwerty or 12345. So it’s possible that a copywriter might have a simple password and eventually, its account got hacked. Then the hacker might post some nasty content.
In both cases, the site is up and running but the content was changed.
What do I want to implement?
So my idea was to collect screenshots of the site and compare them to how significantly they have changed.
Since verifying 200 OK doesn’t mean that your site in a “good” state, this might increase the confidence level. It’s not only online, but also it is in the same “state”.
But users can notify you if they see something like that?
Indeed, if you have a web application or a popular site with its own community, then users will notify you. But this applies to uptime monitoring as well: if your site is down, then they can notify you.
But if you don’t have an application or a community? If you have:
- A company site, which doesn’t change at all, and you send a link to this site to your potential investors or business partners, you don’t want them to see some kind of deface
- A content site, which users are mostly new users, which just read things
Then in my opinion this might be a useful addition to uptime monitoring.
How exactly could you implement this
I thought about two options:
- There is a google vision API, which allows us to detect: adult, spoof, medical, violence, and racy content on the image. This is also helpful if you want to be sure your copywriters haven’t posted something weird
- There are some libraries/algorithms for detecting how much the image has changed. I can allow users to set up the threshold which is suitable for them.
Of course, this is not accurate. People will get false alerts.
However, in the case of a completely static site, it might be pretty accurate. In other cases, it’s still better to get an alert that something suspicious is going on. Especially if we got a combination of a high percentage of screenshot change + e.g. adult content
So basically what I want to do is to get site screenshots every hour or so, and compare how much they have changed + detect if there is inappropriate content.
UPDATE:
Some people told me also that it’s possible to do text analysis stuff. E.g. check if the content has some nasty things.
Also, it’s possible to select areas of the site that should be monitored. For example, you almost never change the header or the footer. In the case of complete deface, it’d be reasonable to notify the user.
Worth it? 🤔