Vupen Security: The First Pwn Troll Business?

Monday, May 16, 2011

Keith Mendoza



A few days ago Vupen released a video purportedly claiming that they finally pwn3d Google Chrome; followed by the ensuing back-and-forth between Vupen and Google engineers on twitter.

Vupen refuses to share their findings to Google, but have instead shared it with their customers.

At this point, Google has only stated that the attack vector appears to involve flash; which, if it's true would mean that it's not Chrome that got pwn3d but the Flash plugin yet again.

I don't know what credibility Vupen has left as a company in the eyes of the information security industry.

They're actions are no different from patent trolls or the many script kiddies who troll around the web showing their half-baked warez.

I don't know how it benefits their customers to point out that a software has a security hole if they don't let the developer know what the hole is.

I hope that their customers see the error of Vupen's ways and stop using their services so they can be forced to close shop and make way for other legitimate security vendors.

If Vupen is successful in extorting money from Google, I have a feeling that we might see a breed of trolling which I will call "pwn trolling".

These will be purported security organizations who will find software bugs that they can exploit and ask money from the developers or be left alone to figure out what the hole is.

As the Vupen-v-Google Chrome incident has shows, the issue is not whether Vupen found something legit, the publicity is enough to cause a company to have to spend resources in having to figure out whether there is a real hole and then having to turn around to dispel the bad publicity.

Cross-posted from Home+Power

Possibly Related Articles:
Flash Google Browser Security Vulnerabilities Chrome Warez Vupan
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.