« There is no Data, there is only XUL: Using XUL to spoof a web browser and next generation UIML phishing attacks | Main | The bug disclosure debate continues »

JavaScript bug hunting tool demonstrated, and ethical release of POC code

"The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after his presentation. "We decided to focus on the educational message and show people the danger."

Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because that could play into the hands of cybercrooks. "We do not want to release anything that could be used for malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.

Hoffman said he demonstrated Jikto to raise awareness." - CNET

A few other sites such as Jeremiah's Blog, and Rsnakes site have debated Jikto's release. As someone who knows Billy (I used to work with Billy at SPI Dynamics) I know that this is purely to raise awareness of some of the things that JavaScript can be used for and was in no way with bad intentions. Creating POC code to prove a point is very much different than  handing over a 'ready to go' fully featured toolkit. I'm actually in agreement with the decision that was made and am happy that this talk was presented and look forward to future talks by him.

On a related note before I get any emails in regards to my XUL spoofed browser demo, while this was released it is crippled allowing the point to be proven without handing over script kiddie friendly code.

Article Link: http://news.com.com/JavaScript+bug+hunting+tool+demonstrated/2100-1002_3-6170223.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!