Offensive Security

HIBP – Code Base now becomes Open Source

HIBP – Code Base now becomes Open Source

The well-known website have i been pwned (HIBP) is now becoming open source. On this website people can check if an email address has been in a public data theft. Founder Troy Hunt announced on his personal blog in early August that the code that lies within this project will be published step by step.

HIBP should not be forgotten

Troy Hunt refers in his blog post to a Twitter post by Junade Ali. This post explains that the password manager Last Pass now uses an API interface to automatically notify users when a used account is involved in a data theft.

Twitter
https://twitter.com/IcyApril/status/1291012838836899842

The k-anonymity mentioned in the Twitter post above is an idea Junade has implemented Pwned passwords for according to Troy Hunt, for whom HIBP Pwned has implemented passwords. This part of the program is now also used in other apps and programs, some of which are open source.

Troy Hunt now sees the only logical step in making the code base of HIBP open source. This step would go hand in hand with the philosophy of HIBP, because until now HIBP was supposed to help the community, from now on the community is supposed to help HIBP.

Troy Hunt says one reason for this step is that he gets a lot of good ideas for the HIBP project, but he can’t do it alone. In order for HIBP to continue to be used, it must implement new ideas and features, and Troy Hunt can’t do that without making the project open source. This allows anyone who has an idea to implement it on their own and develop more ideas with the community.

Another reason that was mentioned is that HIBP was already open source for the most part. There are 128 blog posts on the website of Troy Hunt that deal solely with the functioning of the website. By releasing the code base, Troy Hunt wants to show that he didn’t hide anything or use a “secret sauce”.

In summary, Troy Hunt says that more and more Open Source is becoming and supports this step of development. HIBP is a project that fits the open source mentality, so this is the only logical step.

HIBP search
Whether Troy Hunt will log the input will be seen when the code base is released.

It is still a long way until HIBP is Open Source

The goal that HIBP becomes completely open source is clearly set and is now being tried to achieve. Troy Hunt writes, however, that this step cannot be taken overnight. This is because the software is simply not ready to be released completely. The development of HIBP 2013 has started in the Philippines. In the past 7 years Troy Hunt has programmed this website almost alone.

Every developer knows that a program that is only maintained by one person contains many things that are not suitable for a public project. These include comments that contain sensitive information, but also features that are not used at all, etc. If you are the only programmer, you can live well with such “bugs”, but before the project is published, these bugs should be removed.

In order for this to happen as quickly as possible, Troy Hunt has enlisted the help of colleagues who are experts in various fields and have experience with open source projects.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.