In association with heise online

05 July 2007, 14:59

Bid on exploits at new public auction platform

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

It has been common knowledge for quite some time now, that underground auctions exist where security vulnerability exploits change hands. Now, the operators of virtual marketplace WabiSabiLabi offer an auction platform over which, according to their FAQ any security specialist can publicly offer exploits for yet unreported security vulnerabilities. Thereby, the seller should be able to attain the highest possible return for their efforts. In order to prevent misuse for illegal purposes, both sellers and potential buyers are required to preregister. The potential buyer has to undergo a check, but the Swiss-based operators do not specify its nature. However, following registration, applicants are required to fax a copy of their identity card along with a telephone number (which does not seem an unduly strong form of validation).

Currently, there are four exploits for sale: a vulnerability under Linux that can be exploited locally – starting price 500 euros –, an exploit for a remotely exploitable vulnerability in Yahoo! Messenger 8.1 under Windows XP (2,000 euros). Another exploit for a vulnerability in Squirrelmail starts at 500 euros, but is available to "buy now" for 1,000 euros. Finally, the list even contains an exploit for an SQL injection vulnerability in MKPortal. Up to now no bids have been made on any of the exploits.

Knowledge regarding security vulnerabilities and the construction of exploits has created quite a strong market over the past years. At the CeBit exhibition, Eugene Kaspersky, founder of Kaspersky Labs, speculated:"We are increasingly having to deal with a global industry that employs thousands of people. I wouldn't be surprised if their gross turnover exceeds the revenues of the security software sector." Ultimately, internet crime extends to encompass associated activities such as money laundering. Even key security service providers like TippingPoint and iDefense buy information on security vulnerabilities within the framework of their bounty programs, to protect their customers.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit