I first came to know about Sunny Vaghela about one and a half years ago when I got an email from Sandip Dev of Sun Microsystems (now acquired by Oracle).
From: "Sandip Dev"
To: "Susam Pal"
Date: Thu, Dec 10, 2009 12:23 AM IST
Subject: The Orkut exploit
Hi Susam,
I just read the Orkut exploit on your site http://susam.in/security/advisory-2007-06-22.txt. It seems this guy, Sunny Vaghela, claims this exploit to be his own (http://sunnyvaghela.com/orkut-hacking.html). He also claims that people from Google visited him (http://www.techgoss.com/Story/227S12-Security-expert-starts-NGO-to-help-cyber-victims.aspx). Whats your take on this?
Regards,
Sandip Dev
From: "Susam Pal"
To: "Sandip Dev"
Date: Thu, Dec 10, 2009 1:17 AM IST
Subject: Re: The Orkut exploit
Hi Sandeep,
In our advisory, we have documented that the session management vulnerability associated with orkut_session cookie was first reported by Net-Square Solutions Private Limited. We published an advisory in 2007 because even though the Net-Square advisory mentioned that the vulnerability is fixed, we found that it wasn't. So, we published the results of our investigation and experiments.
The link that you have sent me doesn't mention that he claims the exploit to be his own. I have not seen the Headline Today video on his work. However, if he does claim that it is his own exploit, either he has discovered the vulnerability independently and is unaware of related work that has been done before or he is using information from the advisories published by us and Net-Square, but claiming it to be his own.
Regards,
Susam Pal
From: "Sandip Dev"
To: "Susam Pal"
Date: Thu, Dec 10, 2009 9:29 AM IST
Subject: Re: The Orkut exploit
Hi Susam,
He has put it under "Research" on his site and also in the interview he says he "found" this exploit. Well I have reading up about him recently and this came up. So I thought I would alert you. Thanks for the response.
Regards,
Sandip
From: "Susam Pal"
To: "Sandip Dev"
Date: Thu, Dec 10, 2009 10:18 AM IST
Subject: Re: The Orkut exploit
Hi Sandip,
Thanks for the alert. I was assuming that he was talking about his work in good faith. There is a possibility, no matter however small, that he has discovered the vulnerability independently and he is not aware that we have already investigated this and published advisories on it.
However, I understand that there is also a possibility that he is violating our copyright on our work and claiming that the work is a result of his own research. I don't mind it since most websites on the web properly attribute the advisory and the investigation to me and Vipul.
Thanks for the alert however. It was interesting to see an old work in the news recently.
Regards,
Susam Pal
A couple of days ago, I found him again at attrition.org, a website that used to be the largest mirror of defaced websites.
Sunny Vaghela has found a place in attrition.org's charlatans watch list: Sunny Vaghela: Claims of Orkut Vulnerability Research. He is the third Indian to get into this list after Ankit Fadia and Sahil Khan.
1 comment
Arjit Srivastava said:
This is hilarious. Another charlatan off the hook? What up, Fadia? What up, Khan? And now, what up Vaghela? Seriously, plagiarizing an entire book by Sahil Khan, was not enough?(Not entirely, yeah 99+%!) and now this new guy? What's actually wrong with these so called "whiz-kids"?