There’s a new Switzerland based startup launching called WSLabi that is setting up shop to allow “security researchers” to sell vulnerabilities that they find in software via an auction format. Their stated goal is to become a legitimate clearinghouse for vulnerabilities, although some may say it’s just organized blackmail.
There are only four vulnerabilities listed currently, including a Yahoo Messenger client side bug described as (see image above) “Remotely exploitable by any user in the victim’s address book (some interaction from the victim is required). Arbitrary code execution possible but non-trivial. Detailed analysis and DoS PoC available.” The opening bid is 2,000 Euros.
The product FAQs state that all purchasers will be “carefully evaluated” to “minimize the risk of selling the right stuff to the wrong people.” But there is only one appropriate buyer for most vulnerabilities (Yahoo, in the case above); it’s unclear who else should be authorized to purchase such information.
The company says that they are simply trying to take activity that’s happening underground into a legitimate marketplace. Perhaps, but this thing doesn’t seem to be fully baked.
Haha (last para!!!)
Include one more word at the end…………..DEADPOOL
I’m a little puzzled why TechCrunch is giving these jokers publicity. I am sure there are hundreds if not thousands of startups out there more deserving of a review. If the site were hopping like mad and generating revenue, then maybe it would be a story. But it’s a teenage fantasy to begin with, plus it doesn’t even have listings. So where’s the story?
One flaw to this is, the company could be raided by the police and all the naughty people that bought the hacks will be exploited so in that respect this is targeting the companies whos software is online and thus blackmail.
Their domain registration data is certainly interesting:
Registration Private
(480) 624-2599 Phone
(480) 624-2599 Fax
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
wslabi.com@domainsbyproxy.com
http://who.goda...prog_id=godaddy
Basically you don’t even know the names of the people who run the marketplace. Very trustworthy
very funny….
I don’t know if this will succeed, but I’ve read reports that some of these exploits get sold for large sums of money so this is hardly the worst idea in the world given that it probably didn’t cost much to set the site up.
I think the biggest challenge this company will face is in trying to create a legitimate marketplace for an underground market. Legitimacy brings some level of transparency, which is not beneficial to most of the parties who have an interest in these transactions. It’s really no different than creating an open marketplace for stolen cars. Thieves and buyers would be foolish to use it.
Flavio: that is domainsbyproxy, which is a service that lets you register domains ‘anonymously’
0day exploits have always existed. There are groups of researches who find vulnerabilities and disclose, while there are others who keep it to themselves (or within their groups) and use them for other purposes
The funny thing is, just the description of these exploits tells me enough about them that you could probably easily find them yourself and develop an exploit. I can’t believe they made the list of exploits public..
The Yahoo! Messenger exploit description tells you that user interaction is required, so it would be something like clicking on a link in a message, accepting a contact that is sent etc. and whatever it is, it is likely a bounds-checking issue
If the site is privately registered that means it’s most likely registered to an individual. I can’t blame him for that, especially with this type of web site, but I wouldn’t trust him one bit either.
I just opened my dictionary to look up the definition of irony:
Someone buys a vulnerability on WSLabi in order to hack into their systems, thus bringing the whole site to its knees.
Actually referring this site to eBay is a bit of a reach for me. Too small a user base, and nowhere close the potential to reach a large scale for many of the reasons listed in the comments. Of course after this post they will see a nice spike in traffic.
This site has serious limitations, and I think a real exchange would need to be underground and private (read illegal and hidden). I don’t see how this could make it as a legitimate site. Of course Switzerland probably wont do anything to shut it down, consider how long PiratesBay has been up, until perhaps it facilitates a major scandal.
It would be interesting to list some security flaws for the Swiss government on here and see what happens. Maybe then their government would care about IP. But otherwise it will probably stay open just not be too successful.
Very high margin business though. Zero advertising, Percentage of each sale, high ticket price for big exploits = big money to the owners, even if it is not very consistent. Definitely worth giving a shot if you had no morals.
Interesting.
It seems bringing this to a public market place may end up biting them in the ass. Somethings are just better off left underground.
I actually wonder if the site is actually based in switzerland(because of that anonymous domain name info). Its pretty obvious why they say they are based out of switzerland, but I wonder if its true
Well, the ip address the domain name returns says the server is in San Diego, at California Regional Intranet, Inc. Sounds like a state penn.
haha, that’s insane!
Here’s a very in-depth post by Dancho Danchev basically debunking the entire business model, discussing the computer underground’s one with their International Exploits Shop, providing an interview with David Endler from the Zero Day Initiative(ZDI), and how the entire project wouldn’t have any effect on the exchange of zero day vulnerabilities in the computer underground. I tend to agree with his best point that even the MPack attack kit the got a lot of publicity got many people infected but was using over 6 months old vulnerabilities that were publicly known and already patched.
The June 16 2007 issue of New Scientist ran a feature on this trade in vunerabilities and the bottom line was ‘vunerabilities are the raw materials of intrusion ‘ and the security of the internet depends on providing financial incentives for the good guys to hunt for vunerabilities and report them before the bad guys spot them .
As with any market though the distinction between the good guys and bad guys is gonna blur occasionally and New Scientist did a table of vunerability prices starting with $250,000 ( quoted by US Govt source ) for ’some exploits’, $50,000 for a Vista bug and $500 and T shirt being offered by the Mozilla Bug Bounty programme.
The interesting point though was the call for a transparent market in vunerabilities to give customers a better idea of how secure a program or app is.
I don’t see why this is such a bad idea but it would be more interesting to see this as a broker between people who find vulnerabilities and those that need to fix them (the developer of the software). With that in mind, I’m not sure an auction format is appropriate since there is really a monopsony (monopoly = one seller, monopsony = one buyer) and it doesn’t seem ethical to sell a vulnerability in Yahoo Messenger to say MSN.
Jay,
What if those who seek to find bugs , good or bad, and the companies whose software they find bugs in simply agree to conspire against consumers.
Dont we have a right to know how vunerable we are?
If the site is privately registered that means itβs most likely registered to an individual.
Looks like this story has also been picked up by BBC:
http://news.bbc...ogy/6276474.stm
Getting way more coverage than it deserves, IMO. The site is rubbish and the idea doesn’t seem well thought out. Can’t see this one lasting long and expect to see it in the deadpool soon.
Cool …