New XSS Hunter host Truffle Security faces privacy backlash

Truffle Security Faces Privacy Concerns over XSS Hunter Tool

UPDATED, February 22. Truffle Security announced an optional end-to-end encryption feature for its XSS Hunter fork on February 21, resulting in a more favorable reaction on Twitter.

The maintainers of the newly forked XSS Hunter tool have faced backlash for analyzing sensitive data from users after releasing anonymized statistics detailing the vulnerabilities found.

The communication from Truffle Security, which recently forked the highly regarded tool following its previous cessation of updates by the original creator Matthew Bryant, sparked a flurry of reactions on social media.

In a tweet, Truffle Security noted, “Wow, >1000 XSS Reports since we launched our flavor of XSSHunter last week.”

Read more about the latest in hacking tools.

“About 20 are found to have their .git directory exposed,” they continued, adding “around 15 have cloud credentials exposed, and over 100 report issues with CORS!”

This message raised alarms among security experts, including hack investigator Julien Ahrens, who responded on Twitter: “Sounds like someone is looking at your data closely…” He suggested, “Protip: Consider self-hosting xsshunter-express or ezxss to safeguard potentially sensitive data.”

Response to Community Concerns

In light of the criticism, Truffle Security deleted the problematic tweet and acknowledged the concerns raised, stating: “We shared some anonymized statistics about XSSHunter (similar to the public anonymized reports from Hackerone) and prompted by community feedback, we have removed it. Thank you for pointing this out; it’s essential to hold us accountable.”

However, user ‘@Th3MadHacker’ countered: “This differs from Hackerone as participants provide consent for metric sharing.”

In response to inquiries from The Daily Swig, Truffle Security co-founder Dylan Ayrey reiterated the comments from their Twitter account, aiming to alleviate privacy concerns by stating: “No raw submission reports were accessed by employees.”

Colin Winhall further urged bug bounty platforms to explore in-house solutions for XSS vulnerabilities and to fork their versions of XSSHunter.

YesWeHack, a bug bounty platform based in Paris, highlighted its own solution for self-hosting out-of-band tools called PwnMachine.

Bug bounty programs often disallow third-party hosted hacking tools due to concerns related to data leakage that could potentially aid malicious actors, which seems to be the case currently with the Amazon VRP.

Future Developments

XSS Hunter was reintroduced as a managed service last week, following Bryant’s announcement of discontinuing maintenance of the tool.

This new version, hosted on Truffle Security’s domain in San Francisco, is an open-source fork of the original tool.

Bryant remains the maintainer of the xsshunter-express repository, enabling users to self-host their instances, with various other forks available for migration.

Seek out the latest web security updates straight to your inbox? Subscribe to our newsletter – Daily Swig Deserialized

Privacy issues featured heavily in the motivation for relaunching the XSS Hunter service and developing new features, like the blurring of captured images.

In prior discussions with The Daily Swig, Truffle Security’s Ayrey mentioned that “numerous users inadvertently send sensitive information to the platform.” He also expressed concerns that post-deprecation, “another tool might appear with operators having differing intentions regarding the data collected.”

“We see an opportunity to alleviate privacy concerns while providing new functionalities to the cybersecurity community,” Ayrey emphasized.

Bryant conveyed to The Daily Swig his increasing discomfort regarding the volume of vulnerability data stored within the service and remarked that “Truffle Security is committed to balancing privacy with the needs of bug bounty research.”

This article has been updated as of February 22, reflecting Truffle Security’s introduction of an end-to-end encryption option in its XSS Hunter fork.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features.