April 2nd, 2007
JavaScript bug-hunting tool leaks out
The source code for Billy Hoffman’s Jitko has leaked out onto the Internet.
Hoffman was due to release the code for the JavaScript bug hunting tool at SchmooCon last month but after “higher-ups” and Spi Dynamics “change their minds,” the tool was withheld from attendees.
Now, Hoffman confirms that the code has leaked out despite the “extreme steps” taken to prevent this from happening.
Hoffman explains how the leak occured:
When I got to Shmoo I saw that I didn’t have a hard connection to the Internet, only wireless. This means anyone in the audience sniffing traffic would see where Jikto was and get a copy. Obviously I couldn’t let that happen.
Instead I VPNed into SPI. This created an encrypted tunnel. I then remotely connected to my Desktop machine at work and did the demo from there. This means no one in the audience could sniff traffic and see where Jikto was stored. The problem is if someone watched very closely they could see the URL of where Jikto’s code was. I ran all my traffic on the work machine through a proxy to show all the requests Jikto was making. The first request would have been to grab Jikto’s code. Someone could have seen the URL and grabbed it.
Which is exactly what happened! A guy named LogicX grabbed a copy this way…
The code has since been posted to the Sla.ckers.org forum. Hacker RSnake discusses snippets of the code, which can be used to hunt for common security holes and then connect back to its controller for instructions on which Web sites to hit and which flaws to look for.
For more on Jitko and the havoc it can wreak, see this story by Joris Evers.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
