The other day, I ran across a website called Fight Phishing that claims to want to stop phishing by disclosing the cross site scripting vulnerabilities in the biggest applications out there that he can find them in that can be used for this type of attack. Among the companies, is AOL, Citibank, WellsFargo and the Internal Revenue Service.

Ultimately this is really about full disclosure, but if you look at the comments on this post you can see not everyone agrees with the tactics. I had to stop and think about how my site differs (if at all) from his site. Honestly, the only differences I can come up with are semantic. I am not so interested in outing the companies themselves, but rather raising awareness of the topic in general.

For instance, when I disclose vulnerabilities in some application it is not so much that I have any interest in that application or any other application for that matter. However, I am always interested in the underlying methodology and the ultimate ramification (to phishing or otherwise) of the exploits.

Honestly, I think what this guy is doing is pretty cool, although not my particular style. But for those zero-day guys who read my blog, this might be a good place to haunt.

This entry was posted on Thursday, June 29th, 2006 at 8:37 am and is filed under XSS, Webappsec, Phishing. Responses are currently closed, but you can trackback from your own site.