Found an XSS vulnerability on a website that I won't mention last week. Before the day was out, I was threatened with legal action.

I know the folks in charge of the organization that runs the website, and I was chatting with managers about application security and XSS attacks while looking at the application.

I was able to make a new account with the username "><xss> and that ended up getting echoed back to me in several places - most worryingly, the application provided a "share my schedule" link to encourage folks to share their schedules with others, and that link contained only some sort of hash in the URL - so one could be tricked into following it to see a user's schedule, yet then be hit by a cross-site scripting (or cross-site request forgery, etc.) attack. Scary!

This wouldn't be a very noteworthy story, however, but when the tech found out, he threatened to call the FBI on me, for attempted "identity theft." Now, I didn't actually write any exploit code, javascript, or get any browser other than my own to view the unescaped username. But this kind of "we'll hide our problems by going after folks" attitude is just a little too creepy for my tastes.

The XSS vulnerability has since been fixed. Perhaps I'm not creative enough to see how just any XSS vulnerability could be turned into a vehicle for stealing someone's (non-digital) identity. The most evil easy thing to do that I could come up with was writing some sort of social networking (facebook/myspace) worm that could perpetuate itself with the "share my schedule" feature and a cross-site request forgery (pseudo-code example: ).

Perhaps I'm just not evil enough.