I recently got a email from a client looking to get a toolbar developed. From the project details, it was clear that it will be used to hack user accounts from legitimate sites. I have snippets of the email attached here:
I am looking to create a toolbar where users can select the username and
password fields on a website, and have the toolbar attempt logins by
interacting with a list of potential passwords. If the user does not
have a password list, he should be able to create a set of passwords
based on his needs (x characters long, select which characters should be
used (Ex] no numbers or special characters), select the beginning or end
of the password) There should be some sort of proxy option built in so
that if the website is denying a user to login (because of too many
incorrect attempts), it can try from a different ip. When a working
password is found (probably be sensing that a different page has been
loaded), it should be saved and the process will stop. I would think
that the toolbar should first check to see what sort of error message
comes up after an incorrect login.
Additional add-ons to consider:
Delete cookies after every login attempt
Limit the number of attempts per hour/minute, and when they should
be attempted. Ex] One attempt every 30 minutes for 6 hours, rather than
12 attempts in the first minute.
Reading CAPTCHA security images (maybe the user does have to
manually enter in these codes, or possibly the toolbar can read them.)
Working with flash logins
This program will have a trial period with minimal features and users
can buy the full version by entering a product key. The security of the
algorithm is extremely important to me. I would hate to see a product
which I fund become another causality of warez communities.
I realize that this extension is edgy and can be used as a hacking
utility (although it will be advertised as a Security Analysis tool).
If your team does not feel comfortable creating such a product, I
Another thing worth noting was the client’s name. It could be a coincidence but when I searched the client’s name in google, the results were rather very suspicious. First 2 pages of results were filled with information on a missing 24 year old med student from ohio state university. Surprisingly, the first name and last name matched with that of my client’s. But it could be just a coincidence.
Anyways, the client has a big budget, the project requirements are pretty much doable. So, will you work for it? Will you work on a nasty project like this one?
I have asked some of the other freelancers and I got mixed opinions. One said, he would indefinitely work on it if the client has a big budget. The other just ran away. I also had mixed thoughts on it. But after consulting some senior guys, I’ve decided to drop it. But it may not be same with you. Isn’t it?