JavaScript bug-hunting tool 'stolen'

Web security firm SPI Dynamics tried to keep private a tool that turns PCs of unknowing Web surfers into drones for hackers, but the source code has made it onto the Web anyway.

"Jikto's code is in the wild," SPI researcher Billy Hoffman wrote in a blog post on Monday. "A guy named LogicX grabbed a copy...and posted it on Digg just a day after Shmoocon."

The individual was able to get the code because Hoffman in his presentation at the hacker conference displayed the Web address of the site hosting Jikto.

"If someone watched very closely they could see the URL of where Jikto's code was...Someone could have seen the URL and grabbed it," Hoffman wrote.

Jikto is a Web-application vulnerability scanner created in JavaScript. It can silently crawl and audit public Web sites, and then send the results to a third party, Hoffman said in his ShmooCon presentation. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

Hoffman initially planned to release Jikto's code at ShmooCon, but changed his plans after higher-ups at SPI said he shouldn't. The reason: Jikto could be used for malicious purposes.