Two For The Price Of One: New Messenger Exploit And A New Way To Get It

[tansqrx 0]

A new service run by WSLabi (http://forums.xisto.com/no_longer_exists/?) touts itself as the new eBay of vulnerability researchers (http://www.securityfocus.com/brief/542?ref=rss). From many years there has been a battle between security researchers and software publishers over the price or value of an exploit. As a researcher myself I know how many countless hours go into finding and developing material that is useful in making an exploit. I could easily turn it into a full time job. I do it for a hobby but what if someone wants to make it into a full time job? If you were only able to publish two or three really good exploits a year then you will have to get a fairly large price for you labors.WSLabi makes it possible to ask the highest bidding price for your exploits. It is apparent that this site may encounter legal issues but these questions will have to be answered as this business model turns into a reality.As a bonus to this story, one of the first exploits on the site is for a Yahoo! Messenger 8.1 vulnerability (ZD-00000005 - Yahoo! Messenger 8.1 remote buffer overflow). Very little information is given for the exploit but from the description it appears to have something to do with the address book. The current asking price starts at 2000 Euros which no one has taken yet. I am interested in seeing what this is but 2000 Euros is a tad bit high for my curiosity. If anyone is interested in creating an office pool for this exploit let me know. I am good for 50 Euros right now.

[Alegis 0]

Interesting, didn't bother to look up yet how this did work. It does sound a bit like extortion or rather black-mail. Sure, QA of said program should be able to figure it out and protect it. If some people want to turn it into a full time job, they have to be prepared, not every job is in the right place or has demand for. What use will the address book have? Might be something mundane or meaningless, or not relevant at all. I wouldn't waste money on things like that at all - Don't think it's even for use of those with evil intentions. I think your curiosity will get very disappointed.

[jimmy89 0]

I must agree! I don't think I would want to go spend my money on something like an exploit, that by the time the 'auction' has finished, may have already ben resolved by Yahoo! And how do you know that they are telling the truth, they may just be making it all up!

[tansqrx 0]

The thought of a scam or someone just making it up did run across my mind. I suppose what I would be more afraid of is a previously released exploit disguised as a new one. At any rate I feel that 50 Euros would be an acceptable price to pay for my curiosity.

[jimmy89 0]

I suppose, but now all you need is another 39 people to share your curiosity so you can have a look at this exploit!

[jimmy89 0]

I think your post should be more then just 'what?' to get your point across. But for your sake, whats happening is a group of people are trying to auction off exploits to the yahoo messenger program!

[tansqrx 0]

Don’t worry, I completely understand that an exploit was being offered. From what I can tell the exploit was never bought because it is not showing up in the history. I guess 2000 Euro is a little more than anyone is willing to pay for a Messenger exploit.

[Alegis 0]

And even then could have been something like "Doing this and this, you can add the same person twice in your addressbook!".Don't pay too much of a price for curiosity, for there are many 'secrets',mysteries and things that just are but untold to others in the world :PWell another reason for them not selling is their vague description. It doesn't seem of much use to anyone.