Acutenix denying web site flaws

Todays story of “You’re lying, we weren’t vulnerable” comes from Acutenix. Copy pasted from their “about us” page, this is how they describe themselves:

Acunetix was founded with [web application threats] in mind. We realised the only way to combat web site hacking was to develop an automated tool that could help companies scan their web applications for vulnerabilities. In July 2005, Acunetix Web Vulnerability Scanner was released – a tool that crawls the website for vulnerabilities to SQL injection, cross site scripting and other web attacks before hackers do.

I suppose I should give some background info about everything before laying it into Acunetix too much.

A long standing thread going on in the sla.ckers forums has been busy posting XSS flaws of major companies. One of the many companies in this list is the aforementioned Acunetix. This thread was linked to by darkreading (who themselves have several XSS holes) and later by slashdot. A few days later Kelly Higgins, the author of the article on darkreading.com emailed me asking for some info for a followup story she wanted to write. Here’s the relevant parts of that email:

Acutenix says it has no vulns on its site at all

And here’s what Kelly posted in her follow up story:

Tamara Borg, Acutenix’s marketing director, says the company has no XSS or other vulnerabilities on its site. “We are developers of a Web application security software tool which detects such vulnerabilities,” she says. “Our Website is scanned on a daily basis to ensure that no such vulnerabilities exist.”

Well… since I hadn’t posted the original flaw and hadn’t either tested it I couldn’t be 100% sure that it had existed, which is what I said. I decided to also PM the person who had posted the flaw on the sla.ckers forum. He confirmed that the XSS flaw had worked but had been fixed. For good measure 2 more XSS holes were found on their site. Both those have been fixed, but a screenshot was taken while the flaw existed, which can be found here:

I don’t know if they still want to deny they have XSS flaws, but we now have screenshots that says they certainly have had bugs.

I suppose it’s typical of marketing people to deny any problems and try to sweep it under the carpet, but this tactic cannot be good for the companies reputation. As someone close to the issue let me know, Acunitex should firstly thank sla.ckers.org, then fix the issue and finally improve their products so they can find these flaws. That may restore some faith in the company.

As was very eloquently put:

We all make mistakes, the web developers at acunetix too, no worries. But that barefaced talk from their press is not acceptable. They should not fool people if they need them (or their money:).

Here endeth my rant, but not the story which is also written about by RSnake and N074H4x0r.

Share
  • http://websecurity.com.ua MustLive

    There are vulnerabilities (and especially XSS) at many security related web site’s. For example several XSS at http://www.securityfocus.com which I found at 22nd of August and what about I wrote at my site some time ago. And wrote letter to securityfocus admins (and they already fix all this XSS, but without saying me anything about my warning – as like to do many other admins which I contact about vulnerabilities at their sites).