• RSS
  • Twitter
  • Facebook

Monday 11 March 2013

"Douchebag" iiNet - Reported XSS, No response.

In 2012 September, I decided to responsibly disclose a few serious iiNet vulnerabilities. As a part of my beliefs, responsible disclosure is a MUST in this industry if we want to move further with a greater secure web experience for everyone.

Toying around with a few vectors on their toolbox had lead me to a GET XSS as well as HTML injection. After finding this, I decided to call iiNet and see what they had to say. Of course, I got pushed around department to department, simply because I was a good Samaritan on the internet.

Eventually, I reached an end, and I had been recommend to send an email to, doing so, I fully disclosed the vulnerability, it's effects and possible prevention methods. It took them over 3 months to fix it. Want to know what's worse? They didn't even reply.

Yes. I am talking about iiNet, considered a "good" ISP due to their "responsive" customer service. This certainly wasn't the case for me.

If you run a website or web service, and a penetration tester is willing to discuss his findings. Take the opportunity. Chances are that he or she is just trying to help, and if they are not asking for anything in return, consider him/her to be a person with decent moral standings.

The XSS vulnerabilities on iiNet are NOW fixed, but no reply has been issued to me, not even a simple two word response "Thank you".

Note: For those who wish to get any sort of proof or even perhaps a more detailed discussion about this personally, feel free to contact me.