from ShmooCon

Software that could be used to turn a Web browser into an unwitting hacker’s tool has been posted to the Internet, after it was downloaded by a quick-thinking attendee at last month’s Shmoocon hacker conference.

The software, called Jikto, was written by Billy Hoffman, lead researcher at Spy Dynamics Inc. Hoffman demonstrated the code on March 24 as part of a presentation on the dangers of JavaScript malware.

Hoffman had discovered a way to write a Web vulnerability scanner in JavaScript, a Web language that can run in any browser. This technique circumvents JavaScript’s security restrictions and, concerned that his Jikto code could be misused, Hoffman says he took extra steps to prevent the code from getting out.

However, in order for his demonstration to work, he had to post the Jikto code somewhere on the Internet. “Very briefly you could see the original URL of where the Jikto code got fetched,” Hoffman said.

That was enough for show attendee Mike Schroll to snag a copy.

“I was sitting pretty close to the front and had my laptop out already,” said Schroll, an information security consultant at Security Management Partners Inc. “The second I saw it i just started typing away.”

Schroll posted the code on his Web site March 25, and submitted a link to the code on Digg.com. He removed the software several hours later at Hoffman’s request.