Anonymized numbers of bug discoveries swiftly deleted after pushback
The maintainers of a new version of popular hacking tool XSS Hunter have been criticized for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.
The contentious communication from Truffle Security, which launched a new fork of the open source tool last week after its deprecation by original creator Matthew Bryant, was tweeted yesterday.
“Wow,>1000 XSS Reports since we launched our flavor of XSSHunter last week,” it said.
“∼20 of them have their .git directory exposed”, it continued, adding “∼15 of them have cloud credenitals exposed and >100 have CORS issues!”
This provoked consternation among bug hunters and security researchers on Twitter, including hacker and pen tester Julien Ahrens. “Sounds like someone is looking at your data closely...” he tweeted. “Protip: Host your own instance of xsshunter-express or ezxss to avoid leaking potentially sensitive data to this company.”
Truffle Security responded to the social media storm by deleting the offending tweet and acknowledging the pushback: “We posted some anonymized stats about XSSHunter (similar to Hackerone’s public anonymized reports), and members of the community voiced privacy concerns, so we took it down. Thank you for reposting it, totally fair to hold us accountable.”
However, ‘@Th3MadHacker’ countered: “This is not the same as hackerone, Programs on hackerone give consent to share metrics.”
In response to queries from The Daily Swig, Truffle Security co-founder Dylan Ayrey echoed the comments posted from his company’s Twitter account and sought to assuage privacy concerns, adding: “No one’s raw reports were viewed by employees”.
Colin Winhall, meanwhile, urged bug bounty platforms to “provide in-house solutions for bXss and fork their own version of XSSHunter”.
YesWeHack, the Paris-based bug bounty platform, highlighted its own such solution for self-hosting out-of-band tools, PwnMachine.
Bug bounty programs often prohibit the use of hacking tools hosted by third party platforms, because of the risk of sensitive data leaks that could empower malicious hackers, as appears to now be the case with the Amazon VRP.
XSS Hunter was launched as a managed service last week after Bryant, aka ‘Mandatory’, announced he would no longer be maintaining the application.
The new version of the service, which is hosted on San Francisco-based Truffle Security’s domain, is an open source fork of the original code.
Bryant remains the maintainer of the xsshunter-express repository, through which users can self-host their own instance, and other forks are available to migrate to.
Want the latest web security news direct to your inbox? Sign up to our new newsletter – Daily Swig Deserialized
Privacy concerns were seemingly a motive in launching the new XSS Hunter service and development of new features, such as the blurring of screenshots captured by the platform.
Speaking to The Daily Swig previously about the relaunch, Truffle Security’s Ayrey said that “many users of XSS Hunter would accidentally send sensitive data to the platform”. He also expressed concern that post-deprecation, “another tool might have come along to replace it with operators that may have had different intentions [to Mandatory] with the data collected.
“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities,” Ayrey added.
Bryant told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service”, and said “Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests”.
This article was updated on February 22 with the news that Truffle Security introduced an end-to-end encryption option to its XSS Hunter fork