Software that could turn a web browser into a hacker's tool has been posted online, after it was downloaded by a quick-thinking attendee at last month's Shmoocon hacker conference.

The software, called Jikto, was written by Billy Hoffman, lead researcher at Spi Dynamics. Hoffman demonstrated the code last week as part of a presentation on the dangers of JavaScript malware.

Hoffman had discovered a way to write a web vulnerability scanner in JavaScript, circumventing its security restrictions. Concerned that Jikto could be misused, Hoffman says he took extra steps to prevent the code from getting out.

However, in order for his demonstration to work, he had to post the Jikto code somewhere on the internet. "Very briefly you could see the original URL of where the Jikto code got fetched," Hoffman said.

That was enough for show attendee Mike Schroll to grab a copy.

"I was sitting pretty close to the front and had my laptop out already," said Schroll, an information security consultant with Security Management Partners. "The second I saw it i just started typing away."

Schroll posted the code to his website a day later, and submitted a link to it to He removed the software several hours later at Hoffman's request.

Schroll said he posted the code because he thought it would be useful to other security professionals looking for ways to show just how dangerous a scripting attack can be. "I was pretty interested in it because we do some engagements with clients where we do fake phishing sites," he said. "I wasn't trying to be nefarious or malicious."

The software was downloaded about 100 times, Schroll said.

Over the past weekend, it surfaced again, this time on the online discussion forum.

With Jikto now public, security researchers worry it could be misused by criminals to scan internal networks for sensitive information, or to build a malicious botnet code. "This particular tool is designed to take control of the web browser," said Jeremiah Grossman, chief technology officer with WhiteHat Security. "It will crawl other web sites and scan them, looking for vulnerabilities."

Hoffman was sanguine about the release of his tool, saying that criminals would probably have been able to develop something similar to his short, 800-line application.

"It's kind of a tragedy that this ended up getting released," Hoffman said. "But in reality the bad guys probably knew this and even if they didn't have it they were probably a couple of months away."

He said he's not angry at Schroll for snagging and releasing the Jikto code. "He probably did what any curious individual would have done," he said. "I really can't fault someone for being curious because that's what my job is."