New XSS Hunter host Truffle Security faces privacy backlash

Adam Bannister 09 February 2023 at 17:12 UTC
Updated: 22 February 2023 at 15:09 UTC

Anonymized numbers of bug discoveries swiftly deleted after pushback

UPDATED, February 22. Truffle Security announced the introduction of optional end-to-end encryption to its XSS Hunter fork on February 21, eliciting a more positive response on Twitter

The maintainers of a new version of popular hacking tool XSS Hunter have been criticized for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

The contentious communication from Truffle Security, which launched a new fork of the open source tool last week after its deprecation by original creator Matthew Bryant, was tweeted yesterday.

“Wow,>1000 XSS Reports since we launched our flavor of XSSHunter last week,” it said.

Read more of the latest hacking tools news and analysis

“∼20 of them have their .git directory exposed”, it continued, adding “∼15 of them have cloud credenitals exposed and >100 have CORS issues!”

This provoked consternation among bug hunters and security researchers on Twitter, including hacker and pen tester Julien Ahrens. “Sounds like someone is looking at your data closely…” he tweeted. “Protip: Host your own instance of xsshunter-express or ezxss to avoid leaking potentially sensitive data to this company.”

‘Anonymized stats’

Truffle Security responded to the social media storm by deleting the offending tweet and acknowledging the pushback: “We posted some anonymized stats about XSSHunter (similar to Hackerone’s public anonymized reports), and members of the community voiced privacy concerns, so we took it down. Thank you for reposting it,

Read more

Explore the site

More from the blog

Latest News