|Jikto Hits The Web|
“I will not be releasing the source code of Jikto…” – Billy Hoffman, March 22nd, talking about his upcoming Shmoocon discussion of Jikto.
“It appears that the source code to Jikto is in the wild.” – Billy Hoffman, April 2nd, noting how someone promptly grabbed the code during his Shmoocon presentation and posted it publicly.
Hoffman, a security researcher at SPI Dynamics, took steps during his presentation to try and keep prying eyes from seeing where the Jikto code could be obtained. Although he said in a later blog post that SPI took “extreme steps” to keep the source code protected during the Shmoocon talk, a hacker going by the handle of LogicX easily spotted a URL where he could get it.
He did so, and posted it to his website and then to Digg. Although LogicX took it down upon request, the damage was done, and Jikto made it into the wild.
“Regardless what you might have heard, SPI didn’t leak it,” said Hoffman. “Even LogicX admitted he snatched it because he got lucky.”
“I meant no harm to Billy or SPI, and immediately took it down. My interest in the code was purely from the perspective of how it worked,” LogicX wrote on his blog. He identified himself as an Information Security Consultant with Security Management Partners in Boston.
The code that escaped was only client side code, LogicX said, and is incomplete without other pieces of Jikto.
As a proof of concept, Hoffman just wanted to show how dangerous XSS vulnerabilities could be, and why web designers needed to be more aware of developing an online application securely. When criminals start building upon Hoffman’s work, the real world demonstration will be very instructive.