Well, it’s probably time that I posted this, although I’m pretty sure the end is nowhere in sight - but it’s probably worth a status update. The web application security forums were only built a month or so ago and they are already on fire. Not just because there are a lot of vulnerabilities being posted in the “Full Disclosure” section, but because of the drama that ensued with two security companies, F5 and Acunetix. Maybe I should start from the top.
This morning I was doing my morning ritual with my lovely girlfriend. We just got this very cool chair called a Sumo Lounge that’s sorta like a big bean bag chair only way more art-deco and way more comfortable (check the website if you need a hacker chair - it’s seriously our most comfortable peice of furniture). Anyway, my girlfriend was sitting in the Sumo Lounge asking me about what’s been going down over the last few days. More or less I think she was concerned that what has been happening is either illegal or otherwise bad. I’m no lawyer, but Jeremiah Grossman did a wonderful writeup on why it shouldn’t be illegal. To paraphrase him yes, it’s probably illegal in certain countries, but here it’s an open issue.
So anyway, in relative comfort I can move onto the drama. F5 and Acunetix both were found to have XSS/HTML injection vulnerabilities in them. Not a big deal except it’s a slap in the face to have security issues if you are a security company. Around this time we get slashdotted and written up in a number of articles [here] and [here]. Then the snowball effect of the group takes over and the group finds their way onto tons of different news sites, including theirs.
This all probably would have died down, but then F5 and Acunetix deny that they were vulnerable. Bad move. First of all they WERE vulnerable, secondly, the members of the forum immediately found more vulnerabilities in the two security companies websites. This time with screenshots. Ouch. There’s a pretty amusing writeup at NOT4H4×0r’s blog about the whole thing.
Wow… Anyway, as I regail my girlfriend about the tail and she is sitting in the Sumo Lounge I think she’s too comfortable because no non-technical person can listen to anyone nerding out that much without getting bored. So two conclusions: 1) this is a bigger problem than anyone realized, if even only for public relations reasons and 2) the Sumo Lounge stays.