Orkut Exploit

By Susam Pal on 25 Jun 2011

I first came to know about Sunny Vaghela about one and a half years ago when I got an email from Sandip Dev from Sun Microsystems (now acquired by Oracle).

From: "Sandip Dev"
To: "Susam Pal"
Date: Thu, Dec 10, 2009 12:23 AM IST
Subject: The Orkut exploit

Hi Susam,

I just read the Orkut exploit on your site http://susam.in/security/advisory-2007-06-22.txt. It seems this guy, Sunny Vaghela, claims this exploit to be his own (http://sunnyvaghela.com/orkut-hacking.html). He also claims that people from Google visited him (http://www.techgoss.com/Story/227S12-Security-expert-starts-NGO-to-help-cyber-victims.aspx). What's your take on this?

Regards,
Sandip Dev

From: "Susam Pal"
To: "Sandip Dev"
Date: Thu, Dec 10, 2009 1:17 AM IST
Subject: Re: The Orkut exploit

Hi Sandeep,

In our security advisory, we have documented that the session management vulnerability associated with orkut_session cookie was first reported by Net-Square Solutions Private Limited. We published an advisory in 2007 because even though the Net-Square advisory mentioned that the vulnerability is fixed, we found that it wasn't. So, we published the results of our investigation and experiments.

The link that you have sent me doesn't mention that he claims the exploit to be his own. I have not seen the Headline Today video on his work. However, if he does claim that it is his own exploit, either he has discovered the vulnerability independently and is unaware of related work that has been done before or he is using information from the advisories published by us and Net-Square but claiming it to be his own.

Regards,
Susam Pal

From: "Sandip Dev"
To: "Susam Pal"
Date: Thu, Dec 10, 2009 9:29 AM IST
Subject: Re: The Orkut exploit

Hi Susam,

He has put it under "Research" on his site and also in the interview he says he "found" this exploit. Well I have reading up about him recently and this came up. So I thought I would alert you. Thanks for the response.

Regards,
Sandip

From: "Susam Pal"
To: "Sandip Dev"
Date: Thu, Dec 10, 2009 10:18 AM IST
Subject: Re: The Orkut exploit

Hi Sandip,

Thanks for the alert. I was assuming that he was talking about his work in good faith. There is a possibility, no matter however small, that he has discovered the vulnerability independently and he is not aware that we have already investigated this and published advisories on it.

However, I understand that there is also a possibility that he is falsely claiming that the work is a result of his own research. I don't mind it since most websites on the web properly attribute the advisory and the investigation to me and Vipul.

Thanks for the alert however. It was interesting to see an old work in the news recently.

Regards,
Susam Pal

A couple of days ago, I found him again at attrition.org, a website that used to be the largest mirror of defaced websites. Sunny Vaghela has found a place in its Charlatan Watch List page. Here is the detailed article on attrition.org that talks about Sunny Vaghela's claims: Sunny Vaghela: Claims of Orkut Vulnerability Research. He is the third Indian to get into this list after Ankit Fadia and Sahil Khan.