An online service has cropped up in the past month that enables people to earn points by hacking Web sites.
Dubbed Rank My Hack, the hacker community site assigns point values to hacks. "Welcome to RankMyHack.Com," the site reads. "The worlds first elite hacker ranking system. Submit proof of your website hacks in exchange for Ranking Points that earn you a place on the leaderboard of legends. The bigger the site, the bigger the points."
According to The New York Times, Rank My Hack was started by a computer science student in Great Britain, going by the name of "Solar." The Times said he "acknowledged hacking illegally 'in the past' to develop his skills, but said he had never engaged in criminal acts like fraud."
The Times, which first reported on Rank My Hack, said that so far 1,200 hacks have been submitted to the service for review. To get recognition for a hack, users must gain access to a site, and then plant some code on the server. Rank My Hack then checks for the code, and based on the hack's difficulty and site's popularity, points are assigned, the Times reported.
Chris Lytle, a security researcher at Veracode, isn't all that impressed with Rank My Hack. In fact, Lytle told CNET in an interview today, Rank My Hack is just the latest way for hackers to do what they've been doing for years now--brag.
"This site is really nothing new," Lytle said. "People have been bragging about their exploits on message boards, mailing lists, IRC channels, etc. for a long time. All that this site really brings to the party is an arbitrary scoring system."
Currently, user Mudkip is the top hacker on the service, earning nearly 4 million "ranking points." The greatest number of Mudkip's points came from the alleged hacking of Huffington Post--so far, the top hack the service has tallied--earning the hacker 1.6 million points. Mudkip has also allegedly targeted Home Depot and DoubleClick.
Although Huffington Post is worth the most points, Google is a close second, earning user Blackfan 1.5 million for an alleged hack of the search giant. Speaking to Times, Google said that Blackfan told the company about a bug in its mobile search site. Google said that the issue will cause no trouble for users.
• LulzSec, Anonymous announce hacking campaign
• Who is behind the hacks? (FAQ)
• Sony sites offline after Anonymous attack threats
Several other prominent sites are listed in the top 10 hacks, including Mapquest, Yahoo, and Mozilla. Rank My Hack also provides a search function, allowing users to see how many points they will get if they hack a respective site.
Rank My Hack also comes with a "bounties" page, allowing users to see which sites hackers can claim to target. However, when trying to access that page, the site says that users "must be logged in to view the point bounties" because of "high media coverage."
Although Rank My Hack's users are taking aim at sites, Lytle said he doesn't believe that companies have anything to worry about from the site, since as he points out, "Rank My Hack wasn't disclosing technical information about what the actual exploits were, just that an exploitable vulnerability existed."
Rank My Hack's notoriety is coming at a time when hacking is a hot-button issue across the Web. Over the last several months, hacking groups Anonymous and LulzSec have made headlines by attacking everything from government organizations to companies. Numerous arrests--including in countries such as the U.S., the U.K., Spain, and Turkey--have been made in connection with the hacks.
However, Rank My Hack is trying to give individual hackers some notoriety. In fact, the site is designed to have hackers "duel" with each other to "protect [their] legacy in one-on-one digital combat." The site's "duels" page lets hackers challenge another person to a battle to see who can score the most hacking points.
"So, have you got what it takes to be the best?" Rank My Hack challenges hackers.
There also appears to be some sort of monetary compensation for hacking. In the site's membership rules, it says that users who enter hacking competitions will receive "payouts" from Rank My Hack via PayPal within seven days of a competition's closing date.
But before those folks collect their cash, Lytle warns that they might want to think twice.
"The bigger threat from Rate My Hack would be towards people bragging on the site," Lytle said. "Chronicling illegal activities for 'points' on a site that many consider a joke is a big risk for almost no reward, especially since anyone, including law enforcement, can view the site."
Update at 11:38 a.m. PT to include Veracode security researcher Chris Lytle's comments.