She demonstrated the existence of XSS flaws in Google and other important sites

Apr 28, 2012 12:01 GMT  ·  By

If last week we interviewed Janne Ahlberg, a white hat from Finland, this time we move our caravan to Russia, where we meet Sony.

She is very passionate about security and her experience gained in the past couple of years helped her realize that there’s a very thin line between the responsible and irresponsible disclosure of vulnerabilities.

Among the sites that were found to be vulnerable by this white hat, we find Microsoft (in collaboration with Flexxpoint), the Chip forum from Germany, LiveJournal, Avira, Symantec, CIA.gov, Adobe, eBuddy.com, ICQ.com, Invision Power Board, devianART, Google and many, many others.

In the interview below, Sony details her collaboration with the infamous TinKode and the Bulgarian researcher known as Flexxpoint, but also some other interesting things about online security, and her experiences in Internet security.

Softpedia: First of all, explain to our readers the significance of your hacker name?

Sony: I like Sony company since I was a kid. My first Sony item was a TV set in 1990. My nickname is a tribute to this company.

Softpedia: How old are you now and when did you become passionate about online security?

Sony: I am 31 now and became interested in internet security about 2 years ago. Before that I had other interests.

Softpedia: Was there anything in particular that triggered your interest?

Sony: Yes, I wanted to find some interesting hobby for myself. I tried it and I liked it.

Softpedia: You have found vulnerabilities on a large number of websites. Was there a vulnerability that was really difficult to find?

Sony: Cross site scripting vulnerabilities are easy to find anywhere. It's a little bit more difficult to find them on Google sites.

Softpedia: What was the most important site that you found to be vulnerable? .

Sony: The most important was Google. Me and Tinkode sent a few bug reports to Google security. Some of the bugs can be seen in our videos. Another important bug was found in vBulletin by me and Flexxpoint.

Softpedia: You say you have found a vulnerability with Tinkode, the Romanian hacker that not long ago got arrested. Do you believe that he was only trying to find vulnerabilities in websites and not cause any damage? Did the authorities arrest him because they misunderstood him, or because he was also doing illegal stuff?

Sony: Yes, I believe he did not want to do anything bad. He is a good guy. I think he was arrested just to scare other hackers. It was wrong because he did not use the results of his research to do anything bad. I think he should be understood and forgiven, and given a chance to review his views on ethical hacking.

Softpedia: Do you use any programs to search for XSS or do you do it manually?

Sony: I do it manually and don't use any programs. First of all, it's just not interesting to use programs. It's like if someone drank your tea for you.

Second, scanners can't be better than human mind and hands. But if you are an admin and have no time to search manually, you can use PRO version scanners, just remember, they can't guarantee 100% results.

Softpedia: We know you have a blog where you post your findings. Why did you start a blog?

Sony: I created my blog to collect examples of cross site scripting vulnerabilities and show all the possibilities related to it. Recently, I shut the blog down because I changed my views.

Now I consider it unethical to post the bugs in blogs or other places for everyone to see. If you want to report the bug, report it directly to the developers.

Softpedia: Do you specialize only in XSS or do you also know how to identify and exploit other types of vulnerabilities?

Sony: I know a little bit about SQL Injection etc. but as for now I am not interested in it.

Softpedia: How did you learn about IT security? Did you take any courses or did you learn by yourself? Before starting to put more passion into internet security, did you work in the IT sector?

Sony: No, I am not employed in the IT and never took any related courses. I had just read a tutorial about cross site scripting once and I wanted to try it.

Softpedia: What do you get out of this IT security "business"? Do you like to help people patch their sites, or do you simply do it for yourself, to test your limits.

Sony: I like the process of searching for XSS and I like to see different variants of this vulnerability.

Softpedia: Do you feel that you are helping raise awareness by reporting XSSs in websites? Do you ever fear that you may be causing damage by publishing the vulnerabilities?

Sony: I don't think so. This is my new view of publishing bugs for everyone to see.

Why it is a bad thing to do:

It's wrong to make any vulnerabilities public. The developers are not robots, they can't always fix them quickly. Someone can exploit them. What could a developer or admin say to the researcher who published their bug?

They could say: "Thank you for publishing this. Today me and my colleagues will be late from work, because we have a lot of additional work to do thanks to you, and now we need to fix all this ASAP. You could have sent the bug to us privately via e-mail and we could take a week or so to think about it and fix it without hurrying. Thank you, you smugly idiot."

Why it could be a good thing to do:

A bug can be published when it already has been fixed. In this case we can see it as one of many examples of using cross site scripting. Many vulnerabilities of this type are similar to vulnerabilities in other CMS. For example: persistent XSS in a profile, or in a message sending interface, in comments or somewhere else.

Softpedia: Do you notify companies when you find security holes on their sites?

Sony: Sometimes I do. Most of the time I didn't and now I feel sorry about it.

Softpedia: When you do notify them, how do they respond? Are they grateful, or do they ignore you?

Sony: Could be either way. Some respond and say "thank you," some of them don't respond.

Softpedia: Do you see yourself working as a professional in the IT Security business in the future, or do you want to keep this as a hobby?

Sony: I don't know. The future is tomorrow. I can't know what's gonna happen tomorrow.

Softpedia: What is your view on hacktivism? Have you ever gotten involved in such activities?

Sony: I think hacktivism is an interesting idea and could work in the future when technologies are more developed. As for now it is still mostly a cybercrime. Mostly. I never took part in any of this and not going to do it in the future.

Softpedia: Do you think women can make a career in the security business?

Sony: I think they can if they want it and are really interested in it.

Softpedia: What are your other hobbies?

Sony: I like photography, watching documentary films and vegan cooking.

Sony's work can be found on her personal blog or on InSecurityRomania.