Jikto in the wild - The HP Security Laboratory Blog -
The HP Security Laboratory Blog » Jikto in the wild
Jikto in the wild

It appears that the source code to Jikto is in the wild. I suppose it was only a matter of time, even though as you will see SPI to extreme steps to prevent this from happening.

As my Shmoocon presentation slides discuss, Jikto bypasses the "Same Origin Policy" by using a proxy website like the-cloak, proxydrop, Google Translate, etc. This allows Jikto's code and the content of 3rd party sites to be loaded into the same security domain (ie the proxy sites), and thus read the responses. I believe pdp of GNUCITIZEN first discussed this and I based much of Jikto off his work. The consequence of this means that Jikto's code had to exist somewhere on the public Internet when I did my demo. Worse, when I got to Shmoo I saw that I didn't have a hard connection to the Internet, only wireless. This means anyone in the audience sniffing traffic would see where Jikto was and get a copy. Obviously I couldn't let that happen.

Instead I VPNed into SPI. This created an encrypted tunnel. I then remotely connected to my Desktop machine at work and did the demo from there. This means no one in the audience could sniff traffic and see where Jikto was stored. The problem is if someone watched very closely they could see the URL of where Jikto's code was. I ran all my traffic on the work machine through a proxy to show all the requests Jikto was making. The first request would have been to grab Jikto's code. Someone could have seen the URL and grabbed it.

Which is exactly what happened! A guy named LogicX grabbed a copy this way and posted it on Digg just a day after Shmoocon. However I contacted LogicX and asked him to take it down. I'm thankful he did. However, it seems someone else grabbed either his copy before it was removed or grabbed the code themselves at Shmoocon just like LogicX did.

The long and short of all of this is Jikto's code is in the wild. Regardless what you might have heard, SPI didn't leak it. Even LogicX admitted he snatched it because he got lucky. I suppose it was only a matter of time.

Posted 04-02-2007 12:19 PM by Billy
Filed under:

Comments

dre wrote re: Jikto in the wild
on 04-02-2007 2:41 PM
i saw it but didn't download because i don't want [insert legal bad stuff to happen to me]. maybe you should just release it to the public at this point?
LonerVamp wrote re: Jikto in the wild
on 04-02-2007 2:47 PM
As unfortunate as this is, you have to admit that in this age of information, trying to hang onto things while also showing them off or displaying or even talking about them is just not going to happen. Even if the code never got out, the idea is there and the technology aligned to make someone else's code work instead. Unfortunate, but reality. Oh well, in the wild or not, the issue(s) needed to be addressed.
LogicX » Blog Archive » Jikto Source Code Situation wrote LogicX » Blog Archive » Jikto Source Code Situation
on 04-02-2007 3:43 PM
Andre Gironda blog wrote Please release Jikto
on 04-02-2007 5:32 PM
anon wrote re: Jikto in the wild
on 04-02-2007 7:14 PM
>>Someone could have seen the URL and grabbed it. Extreme measures were taken? Maybe you were just being funny. It sounds more like the hardened steel front door was right next to an open window. At least this will get people scrambling to fix the problem.
Sven Vetsch / Disenchant wrote re: Jikto in the wild
on 04-04-2007 4:06 AM
Hi Billy, in your presentation you wrote: "XSS + Jikto + Social Networking = Botnets" Perhaps my write-up on Webbased Dynamic Botnets could be interesting for you :) http://www.disenchant.ch/blog/webbased-dynamic-botnets/53 Regards, Sven
Larry wrote re: Jikto in the wild
on 04-04-2007 11:34 AM
I suppose it like going into a room with a loaded gun, and when some gets hurts, claiming it went off by accident. I guess you just joined the club with members like Oppenheimer, Einstein, etc.
zed260 wrote re: Jikto in the wild
on 04-06-2007 5:13 PM
personaly im glad it was leaked it will mean more ppl will be monitoring the code they write in javascript besides someone else would have written something semilier and released it sooner or later
luke-the penguin killer wrote re: Jikto in the wild
on 04-07-2007 2:19 PM
I really find the idea that someone of your obvious talents "accidently" let this happen an insult to the collective security industry. You expect us to believe that all the hype an attention you are getting now was not your plan in the beginning. Nope. Not buying it.to qoute Jack Nicholson in a recent movie.." Sell crazy somewhere else. We're not buying."
Ertunga Arsal wrote re: Jikto in the wild
on 04-10-2007 11:51 AM
Billy, What does it matter whether sources have leaked or not? This is about ideas and the presentation already gives enough of them to construct the attacks on one's own. Some lines of poc js code does not make any difference. Whether to cut the bread or stab a person with it, is people's own choice. "Bypassing Same Origin Policy" was the keyword, which was also discussed in CCC a lot, recently. I don't understand why some people are suddenly so energic about it.
Wang Chung wrote re: Jikto in the wild
on 05-23-2007 5:16 AM
Hey I'd just like to say thanks for making the internet a safer place. And I'd like to give you a big pat on the back for DEMONSTRATING jikto through a wireless connection, absolutely brilliant. It's not like a wireless connection broadcasts to everyone within a certain radius, or anything. I hope you don't have kids. It would be a shame to have any more of you.
HC1 wrote re: Jikto in the wild
on 05-23-2007 3:07 PM
let me know when it is available for download/exploit ;-)

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems