Sunny Vaghela: Claims of Orkut Vulnerability Research

One of Sunny Vaghela's claims to fame was allegedly finding vulnerabilities in Google's Orkut social networking site. His personal site gives some details about the issues as well as images of him on various TV shows talking about the vulns. The Times of India says that Vaghela's "technical advice was accepted and adopted by Google" when he pointed out the loopholes. Techgoss writes that after Vaghela disclosed the vulnerabilities, the "Orkut people came and met me .. to discuss the issue".

It is difficult to believe that the California-based Google would send someone to India to discuss two vulnerabilities, unless a Google employee that worked on Orkut happened to be there already. Since Vaghela started using the Orkut vulnerabilities as a way to market himself, he has since changed when he found the vulnerabilities several times. In a press release, Vaghela says he was 18 when he found them. On his corporate web site he claims he found them when he was 19. In reality, his original web site with news that still scrolls betrays these claims, showing September 10, 2007 as the release date, making him 20 years (3 months, 19 days) old based on his May 21, 1987 birthdate.

More importantly, the research put forth by Vaghela is taken from previously published research by Net-Square. "Sandip Dev" brought this to public attention in his article "Demolishing Ankit Fadia v 0.01 Service Pack 1" which was then picked up by Death_c0der his article "Fake Ethical Hackers vs Real Hackers". Vaghela reported two vulnerabilities in Orkut:

If you read carefully, you see he uses different wording to describe the exact same vulnerability. The orkut_state session cookie is not properly terminated on the server side, allowing for cookie re-use to maintain access to an active session. This is a routine finding in application tests and a common oversight in application development. Vaghela's wording is suspiciously close to the Net-Square Orkut advisory:

The Net-Square advisory was published by Pallav Khandhar and Saumil Shah on January 31, 2007, some nine months before Vaghela's disclosure. The exact same issue was published again by Susam Pal and Vipul Agarwal on June 22, 2007, in an advisory titled "Orkut Server Side Session Management Error":

Summary:-

The session associated with a user does not expire at the server side when a user logs out. It is not disabled when a user fails authentication during a session. This can be exploited by an attacker to hijack the session of a legitimate user even after a user has logged out or has been logged out due to a failed authentication during a session.

With two separate advisories covering the same vulnerability, and Vaghela using the exact wording from one of them, it is clear that his "Orkut research" was nothing but plagiarism and a vehicle to promote himself in the media.


main page ATTRITION feedback