We have a serious problem.
A shocking number of major manufacturers engineer and ship webcams that are completely insecure by default. Hikvision, Blue Iris, Axis, D-Link, Wyze, Dahua, Sony… the list goes on. Shipping hardware this vulnerable directly violates customer privacy and creates a massive security liability.
But instead of fixing the issue, manufacturers look the other way. And instead of stepping in to protect citizens, governments do nothing. Risking the label of a conspiracy theorist, it’s starting to look less like negligence and more like a legally sanctioned backdoor for mass surveillance.
IP Crawl changes that. It actively crawls the web for exposed webcams—specifically targeting feeds that require absolutely no username, password, or specialized exploit to access. If it’s open to the public internet… then it’s on this radar.
's homepage, showing a variety of exposed webcams and a CTA to check your area.](./images/7.png)
It’s a simple, uncompromising way to force awareness. It allows users to check if their own hardware is accidentally broadcasting to the world, while exposing the sheer scale of the vulnerability by letting anyone explore what’s out there.
The goal is straightforward: turn public exposure into pressure, forcing both manufacturers and users to take privacy seriously.
What will you find?
Schools, colleges, hospitals, government facilities, corporate offices, residential living rooms, daycares, indoor cultivation setups, industrial complexes and manufacturing plants. Every day you will see something new.
How it works
The architecture is entirely straightforward.
First, a containerized worker routinely iterates through the public IPv4 space. Sending requests with a clearly identifiable header, it scans hosts for known webcam stream endpoints, listed below:
export const SNAPSHOT_PATHS = [
// --- Batch 1: one path per top vendor + universal generics ---
'/Streaming/channels/1/picture', // Hikvision (~40% market share)
'/cgi-bin/snapshot.cgi', // Dahua + many generics
'/snapshot.jpg', // Universal generic
'/axis-cgi/jpg/image.cgi', // Axis (commercial leader)
'/snap.jpg', // Universal generic
// --- Batch 2: vendor variants + cross-vendor standard ---
'/ISAPI/Streaming/channels/101/picture', // Hikvision ISAPI variant
'/snapshot.cgi', // Generic CGI
'/onvif-http/snapshot', // ONVIF cross-vendor standard
'/onvif/snapshot', // ONVIF alternative
'/image.jpg', // Universal generic
'/image/jpeg.cgi', // D-Link
'/cgi/jpg/image.cgi', // TP-Link
'/?action=snapshot', // MJPEG / generic action
'/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2', // Foscam
'/Image.jpg', // consumer variant
'/cgi-bin/snapshot.cgi?channel=1', // Dahua explicit channel
// --- Batch 3+: extended coverage ---
'/Streaming/channels/101/picture', // Hikvision subchannel
'/Streaming/channels/2/picture', // Hikvision channel 2
'/Streaming/channels/102/picture', // Hikvision subchannel 2
'/PSIA/Streaming/channels/1/picture', // Hikvision PSIA legacy
'/IMAGE.JPG', // Case-variant generic
'/cam.jpg',
'/video.jpg',
'/img/snapshot.cgi?size=2',
'/img/snapshot.cgi',
'/tmpfs/auto.jpg', // Cheap Chinese IP cameras
'/tmpfs/snap.jpg', // Cheap Chinese IP cameras
'/live.jpg', // Generic live-still
'/goform/capture', // Belkin / consumer
'/cgi-bin/snapshot.cgi?1', // Dahua variant
// Axis extended.
'/axis-cgi/jpg/image.cgi?resolution=640x480',
'/jpg/image.jpg?camera=1&overview=0',
'/jpg/image.jpg?camera=1&overview=1',
// Panasonic.
'/SnapshotJPEG?Resolution=640x480&Quality=Clarity',
'/SnapshotJPEG?Resolution=320x240&Quality=Standard',
'/cgi-bin/camImage.cgi',
// Dahua / Amcrest extras.
'/cgi-bin/getimage',
'/cgi-bin/net/get_snapshot.cgi',
// Mobotix.
'/record/current.jpg',
'/cgi-bin/image.jpg',
// Bosch / Sony / Vivotek / Geovision / generic JPG endpoints.
'/cgi-bin/image.cgi',
'/cgi-bin/jpg/image.cgi',
'/cgi-bin/snapshot.jpg',
'/cgi-bin/viewer/video.jpg',
'/cgi-bin/video.jpg',
'/jpg/image.jpg',
'/image',
// Misc consumer / DVR firmwares.
'/cam_1.jpg',
'/stream.jpg',
'/snapshot/view0.jpg',
'/web/snapshot.jpg',
'/oneshotimage1',
'/webcapture.jpg?channel=1&stream=0',
'/webcapture.jpg',
'/tmp/snap.jpg',
'/cgi-bin/net_jpeg.cgi?ch=1'
]
The pipeline from there is simple:
If the worker hits a host and successfully retrieves an image or video stream, the host is logged in the IP Crawl database.
If a subsequent probe fails, the system cross-references threat intelligence platforms like Shodan to match the host and falls back to their specific indexing methods.
Once a stream goes entirely dark, it’s automatically dropped from the database.
To be absolutely clear: the engine never attempts authentication, brute-forces credentials or exploits software vulnerabilities. It only catalogues what is already completely open to the public internet.
You know me… The stack itself is lightweight: a Nuxt 4 application running Nuxt UI, deployed entirely on Cloudflare Workers using the entry-level $5/month plan.
To protect both the host and the end-user, tracked streams are re-probed on demand and proxied through the backend. This ensures users never connect directly to the vulnerable host, keeping the host’s actual IP address hidden from the UI.
When you tie it all together, you get a lightweight app capable of indexing almost every exposed webcam on the open IPv4 internet.
On launch day, the platform scaled to over 10,000 concurrent users handling 3 million peak requests—all on that $5/month Workers plan. Wild. Thinking through the caching strategy early on was absolutely crucial.
Now, time will tell:
Will easy, public access to exposed webcams finally be the catalyst that forces governments and manufacturers to act?
Step. The. F*ck. Up.
Discuss this post on HackerNews or on the /r/ipcrawl subreddit.