Security researchers have released a tool capable of using website safety badges to seek out vulnerabilities.
The badges, or trustmarks, were small certificates website owners could purchase to display on their site as an indication they had passed security testing from the likes of McAfee and Trust Guard.
If the website failed the test, the badge would be replaced with a clear square, a fact which Tactical Intelligence researchers Shane McDougall and Jay James used as a means to identify vulnerable sites.
"Trustmarks are essentially acting as flag to indicate to attackers when sites are vulnerable," McDougall told an audience at DerbyCon.
They crafted Oizys, a tool written in Perl that would seek out what sites displayed the squares from Trust Guard or McAfee, and were therefore vulnerable.
The squares were easy to identify because the links to them were not properly obfuscated and could be trawled through Google.
Ozisys will be upgraded with delta scans gathered from through security vendors to identify specific vulnerabilities. The attack optimisation tweaks would include five days of logs for McAfee and eight days worth for Trust Guard.
This would include the most valuable data gleaned from the two days before a target site lost its badge.
"It's the ultimate hacker tool," McDougall said. "[Vendors] do the scanning for you. You never even touch the site until [it's] flagged as vulnerable and then you run the delta of four days back because that's probably the vulnerability that knocked them out of compliance."
He indicated that sites had already been hacked through the method, and said he was made aware of this through "reconnaissance" and by perusing security logs.
McDougall found McAfee's own site listed among its scans of vulnerable websites.
He took aim at the badging process, pointing out that a website could be allowed to wear a trustmark for up to eight days before it would be served the non-compliant badge.
"At least three days, others a week, that you can be vulnerable and still display a trustmark. Anyone see a problem with that?"
"Three days is a lifetime on the intertubes."
This reason was also why the researchers did not disclose thier research to the vendors before going public.
"We struggled: What exactly are we going to tell them? It's not a vendor-specific issue, It's a design issue," McDougall said.
He found dozens of sites which had compliance trustmarks while being insecure, some for up to a year.