New XSS Hunter host Truffle Security faces privacy backlash

Concerns arise as anonymized data regarding bug discoveries are removed following community feedback.

UPDATED, February 22. On February 21, Truffle Security announced the addition of optional end-to-end encryption to its XSS Hunter fork, prompting favorable reactions on Twitter.

The developers of the newly launched version of the widely used XSS Hunter tool have faced backlash after revealing potentially sensitive data derived from user activity following the sharing of anonymized vulnerability statistics.

This controversial announcement from Truffle Security, which released a new version of the open source tool last week after its original creator, Matthew Bryant, stepped away, drew attention on social media.

“Wow, over 1000 XSS Reports since we launched our version of XSSHunter last week,” they declared.

Find more news and analysis on the latest hacking tools.

“About 20 of these reports have their .git directory exposed,” they continued, adding, “around 15 have cloud credentials exposed, and over 100 have CORS issues!”

This announcement sparked alarms among security experts and bug bounty hunters on Twitter, including penetration tester Julien Ahrens, who commented, “Sounds like someone is examining your data closely…” He then suggested, “Protip: Self-host your instance of xsshunter-express or ezxss to keep potentially sensitive data away from this company.”

‘Anonymized statistics’

In response to the backlash, Truffle Security removed the contentious tweet and acknowledged the controversy: “We shared some anonymized stats about XSSHunter (comparable to Hackerone’s public anonymized reports), and the community expressed privacy concerns, so we have deleted it. Thank you for your feedback; it’s fair for the community to hold us accountable.”

However, user ‘@Th3MadHacker’ responded: “This is not analogous to Hackerone, as participants in Hackerone consent to sharing metrics.”

When approached by The Daily Swig for comments, Truffle Security co-founder Dylan Ayrey reiterated the messages from his company’s Twitter account and aimed to alleviate privacy concerns, stating: “No one’s raw reports were reviewed by our staff.”

Colin Winhall also called on bug bounty platforms to “develop in-house solutions for bXss and to fork their own version of XSSHunter.”

YesWeHack, a bug bounty platform based in Paris, highlighted its own self-hosting tool, PwnMachine, designed for out-of-band operations.

Generally, bug bounty programs discourage the use of hacking tools managed by third-party platforms due to the risk of sensitive information leaks which could be exploited by malicious actors, as is evidently the case with the Amazon VRP.

Privacy concerns

XSS Hunter was launched as a managed service last week after Matthew Bryant, known as ‘Mandatory’, stepped back from maintaining the application.

The latest version of the service, now hosted on the domain of San Francisco-based Truffle Security, is an open-source fork of the original code.

Bryant continues to maintain the xsshunter-express repository, allowing users to set up their own instances, while other forks are available for migration.

Interested in receiving the latest web security updates directly? Subscribe to our new newsletter – Daily Swig Deserialized

Concerns regarding privacy appear to have played a significant role in the creation of the new XSS Hunter service and the development of features, such as the blurring of screenshots captured through the platform.

In previous discussions with The Daily Swig, Truffle Security’s Ayrey stated, “Many users of XSS Hunter would unintentionally transmit sensitive details to the platform.” He voiced his worry that after the deprecation, “Another tool could emerge, driven by operators who may have different intentions [from Mandatory] concerning the collected data.”

“We recognized an opportunity to address privacy issues while equipping the cybersecurity community with enhanced capabilities,” Ayrey elaborated.

Bryant also expressed that he had grown “increasingly uncomfortable with the volume of vulnerability information stored in the service,” indicating that “Truffle Security aims to strike a balance between privacy considerations and the interests of bug bounty research.”

This article was revised on February 22 following the announcement that Truffle Security had added an end-to-end encryption option to its XSS Hunter fork.

BACKGROUND: Truffle Security relaunches XSS Hunter tool with new features