Monday, December 3, 2007

Psst! Hey buddy, wanna buy an 0-day vuln?

If you haven't lived in a cave for the last few months, you've undoubtedly heard about WabiSabiLabi, the self-proclaimed "eBay of vulnerabilities". Well, if you've been on the site since it's August inception, or read any of the press on it... you know first-hand that's pure farce.

I've seen some interesting articles on the site, most notably this great review of it at; but I thought I'd think this through myself a little and see if I can gleam something meaningful from the roaring sound of crickets chirping as the site bustles through. (Obviously you've picked up on my sarcasm by now?)

First, let me do a quick break-down of the stuff that's available for purchase at the site right now.

  • 20 total vulnerabilities available
  • 45% Windows-based
  • 30% Linux-based
  • 25% web application-based
  • 2 vulnerabilities have been bid on
I'm not even going to get into the significance of the Windows versus Linux vulnerabilities, but I do want to point out that there are a significant amount of web application vulnerabilities here, by percentage (even if they are rather weak-looking)

Let's face it, if eBay ran like this they would have been out of business on week 2. I'm absolutely amused with these guys who run this site. I think that the Darknet writer breaks it down with smashing pin-point accuracy when referring to the vulnerability market...
Perhaps they didn’t think the whole concept out. Most of the people that need these kind of exploits - have access to them. Those that code trade, those that don’t code steal and trade - those that have no skills..pick up the left overs.
Nail hit on head. One has to ask themselves - what's the business model here? Are the folks at WabiSabiLabi marketing (or pandering) to the security companies? perhaps to the BlackHats (as unlikely as that seems)? maybe to some other crowd? What's your target market WabiSabiLabi?

It's no great revelation that a site which puts "0Day vulnerabilities" up for auction is a bit of a strange animal. If you have an 0day vulnerability, why would you risk exposing it to the world, when you can clearly make much more money selling it underground? Perhaps I've stumbled upon something here... is this a marketplace for second-rate hacks who've found some mediocre defect in some code somewhere, have no contacts to sell it to the underground, and are looking to connect with people who want to buy? Perhaps this is the target market... so let me build a quick profile of the typical seller:
  • mediocre code-monkey
  • no contacts to really "sell" an 0day vulnerability to the underground
  • no ethics to use responsible disclosure to get it fixed through the vendor or OpenSource owner
Really? I can't even imagine what idiot would bid on one of these auctions... I'm going to make a mental stretch here, and shout at me if you think I'm wrong, but I'm going to say that the majority of the real, legitimately dangerous 0day stuff is sold or traded (or horded?) in the dark corners of the Internet, or in pubs or uneventful money-exchanges where they laugh at the guys running WabiSabiLabi and go about their business.

1 comment:

Anonymous said...

Thanks for the mention, nice to find someone actually writing something original on the end of a link - and not just another splog stealing my content.

Keep up the good work P)