Another perfect example that shows how hackers and companies can work together

May 8, 2012 18:41 GMT  ·  By

The popular torrent site Kickass Torrents (KAT) awarded the sum of $100 (76 EUR) to a hacker who helped them address a number of cross-site scripting (XSS) vulnerabilities that affected the website.

Many will agree that the best way to secure a website is by telling a hacker or a penetration tester to give it a crack. In the past period we’ve seen a lot of situations in which hackers (white hats and grey hats) helped companies ensure the safety of their sites.

Today we bring another example in which the hacker known as Gambit helped KAT identify and fix a number of security holes that exposed the torrent site.

"As you all know, over the past month or two I've publicly helped sites patch up vulnerabilities on their sites. One in particular stands out and I would like to give a great thanks to the amazing staff of this website. The site being KAT.ph,” Gambit started his story.

“I signed up about three weeks back. Not there to download torrents, but simply to help the admin secure his site. I started off with their main search bar and located a XSS vulnerability. With the help of a good friend PI, I was able to get it to execute.”

After finding the security hole, he notified the site’s administrators and provided them with the details they needed to locate to fix the weakness.

“I didn't ask for anything, simply made an inquiry to see if they have any sort of reward program, such as FB or Google. He was very generous and said he would be happy to give me an award and told me to keep searching for vulnerabilities and report them,” he explained.

After digging around a bit, Gambit found a total of six XSS vulnerabilities, two of which were persistent. While the non-persistent (reflected) flaws require a certain degree of social engineering from the cybercriminal's side in order to be exploited, the persistent (stored) XSSs don’t need any user interaction.

That’s because unlike with reflected XSS, the arbitrary content inserted by the attacker is permanently displayed on the affected webpages.

“After all of them were sent in and patched up, he rewarded me with $100 which just made my spring break, reporting vulnerabilities to multimillion dollar corporations and a torrent site is what finally pays me,” he added.

“So again I would simply like to give a thanks to the amazing admin and staff over at K.A.T for their generosity and for actually listening and patching the vulnerabilities within hours of my reporting them. Great job guys :)”

The bottom line is that most white/grey hats will settle for a “thank you” in return for helping you fix the site, and if you give them $100 (76 EUR) most of them will be grateful to you for life. So why not collaborate with them, instead of learning the hard way that a simple XSS flaw is more than enough to ruin your company's reputation and expose your customers.