New XSS Hunter host Truffle Security faces privacy backlash

The number of bug discoveries reported has been rapidly removed following backlash from the community.

UPDATED, February 22. On February 21, Truffle Security introduced optional end-to-end encryption for its XSS Hunter fork, receiving a warm reception on Twitter.

The team behind the newly launched version of the renowned XSS Hunter tool faced criticism after disclosing potentially sensitive user data in the form of anonymized statistics regarding vulnerabilities identified.

This controversial statement from Truffle Security came shortly after they released their variant of the open-source tool, which was previously deprecated by its original creator, Matthew Bryant.

In their communication, they boasted, “Wow, over 1000 XSS Reports since we launched our version of XSS Hunter last week.”

Read more about the latest developments in hacking tools.

“Approximately 20 of these reports revealed exposed .git directories,” they added, along with, “around 15 reports included leaked cloud credentials, and over 100 displayed CORS problems!”

This announcement triggered a strong reaction from security researchers and bug hunters on Twitter, including pentester and hacker Julien Ahrens, who stated, “It seems someone is closely monitoring your data…” He advised, “Protip: Consider hosting your own version of xsshunter-express or ezxss to prevent leakage of sensitive information to this company.”

Concerns Over ‘Anonymized Statistics’

In response to the uproar on social media, Truffle Security deleted the original tweet and acknowledged the negativity: “We shared some anonymized statistics about XSS Hunter (like Hackerone’s public anonymized reports), and community members raised privacy concerns, so we deleted it. We appreciate your vigilance in holding us accountable.”

However, ‘@Th3MadHacker’ responded: “This isn’t comparable to Hackerone, as the programs on Hackerone agree to share metrics.”

When approached for comments, Truffle Security’s co-founder Dylan Ayrey reiterated the statements made on their Twitter, assuring that “No employee has viewed any raw reports.”

Colin Winhall also called on bug bounty platforms to “develop in-house solutions for bXss and fork their own variants of XSS Hunter.”

YesWeHack, a bug bounty platform based in Paris, showcased their own self-hosting solution, PwnMachine.

Bug bounty initiatives frequently forbid the use of third-party hacking tools, due to the risks of sensitive information being exposed to malicious hackers, a concern demonstrated in recent cases like the Amazon VRP.

Motives Behind Privacy Concerns

XSS Hunter was launched as a managed service recently after creator Bryant, known as ‘Mandatory’, announced he would step back from maintaining the application.

This new service version, hosted under Truffle Security’s domain based in San Francisco, operates as an open-source variant of the original code.

Bryant continues his role as the maintainer of the xsshunter-express repository, allowing users to self-host their own instances, alongside other available forks for migration.

Want to receive the latest web security updates in your inbox? Subscribe to our new newsletter: Daily Swig Deserialized

Concerns over privacy seemed to motivate the introduction of the new XSS Hunter service and its feature enhancements, including blurring screenshots captured by the platform.

In prior conversations with The Daily Swig, Ayrey addressed the service relaunch, stating that, “Many users of XSS Hunter unintentionally sent sensitive data to our platform.” He also expressed worry that following its deprecation, “an alternative tool might emerge with operators having different intentions [than Mandatory], concerning the data collected.

“We identified a chance to mitigate privacy issues while equipping the cybersecurity community with new functionalities,” Ayrey added.

Bryant conveyed to The Daily Swig that he felt an increasing unease with the volume of vulnerability data hosted by the service, mentioning, “Truffle Security aims to find a balance between privacy and bug bounty research interests.”

This article was updated on February 22 to reflect Truffle Security’s introduction of an end-to-end encryption feature for its XSS Hunter fork.

BACKGROUND Truffle Security reintroduces the XSS Hunter tool with updated features