
Exploit broker Zerodium ups the ante with $500k to target Signal and WhatsApp - acconrad
https://arstechnica.com/information-technology/2017/08/wanted-weaponized-exploits-that-hack-phones-will-pay-top-dollar/
======
Abishek_Muthian
Not just Signal & WhatsApp,

$500,000 - Messaging Apps RCE + LPE (SMS/MMS, iMessage, Telegram, WhatsApp,
Signal, Facebook, Viber, WeChat) .

Which I guess chat apps with > 250M MAU (except Telegram, which probably is
because of it's high usage rate in Arab countries). Looking at their
programme, they might probably approach the original vendor; but we all know
who would pay hard cash for 0 days ;)

Original Source :
[https://zerodium.com/program.html](https://zerodium.com/program.html)

~~~
jorvi
Strange that they would pay the same money for an iMessage or Viber exploit.
Those have very little market penetration compared to WhatsApp it's 90%+ (!)

~~~
secfirstmd
It's the countries that they are big in that probably make them think this
way.

For example, Viber is very popular in the Middle East, Russia, Africa, India,
parts of Asia, Ukraine, Balkans, some of the 'Stans.

------
weddpros
Say a company buys and sells insider trading information... Would it be legal?

So why is buying/selling 0 days OK?

Both are selling information that _will_ be used wrongly in the wrong hands,
the kind of information you don't want a "broker" to know about, the kind of
information you don't want a broker to find clients for.

And if there's only one potential buyer (the target), they're basically black
mailing 0 days targets: "become a client or... who knows what will happen...
maybe the NSA or hackers will buy it?"

~~~
qeternity
You are confusing two things. Buying/selling "insider info" (i.e. material non
public info) is not illegal. Acting on such info CAN be illegal under certain
circumstances, but even that is super difficult to prove. Why would
buying/selling 0days be any different? It's the usage that determines
legality. Why should buying an exploit to permit jailbreaking be illegal? Or
to permit unlocking a device (presuming local laws allow).

~~~
fauigerzigerk
_> Buying/selling "insider info" (i.e. material non public info) is not
illegal._

I doubt that. If I had non-public information that could materially impact the
price of a company's stock, I would not expect to get away with selling that
information to anonymous buyers via some shady broker.

~~~
qeternity
You should look at some of the recent failed insider trading prosecutions. If
you sell the info and expect someone to trade on it, and thus you are
benefiting from ill-gotten gains, then they MIGHT be able to prove conspiracy.
My point is that if you have MNPI and I pay you for it, and that's the end of
it, well that's not illegal. It may be a civil violation due to NDA or
something, but that's different.

~~~
fauigerzigerk
I can imagine that what you're saying is true if there was no danger to the
public.

But if someone were to trade on the knowledge that a supplier had delivered
faulty airbags to an auto manufacturer without telling that manufacturer, I
doubt this would be looked at kindly by the courts.

But I agree that the metaphor is not ideal. Selling 0day exploits to that
broker is much worse. Any seller would have to have a reasonable expectation
of aiding organised crime or terrorism.

------
mmagin
I wonder if there's a way to use civil legal proceedings to punish these
exploit-trading firms. Maybe class action lawsuit representing victims of
these exploits.

~~~
pizza
The government is gonna shutdown its own favorite means of acquiring 0days?

~~~
mrleiter
Well, be that as it may, but the judiciary is generally independent. Inferring
political meddling in courts is a rather speculative territory.

------
gcp
Firefox/TOR LCE+SBX on Linux: 100k

Chrome LCE+SBX on Linux: 80k

Interesting.

~~~
julianj
Yeah... I recently uncovered a way to bypass the tor browser bundle proxy on
some linux flavors [0]. Unfortunately, The bounty from the tor project isn't
nearly as much[1], but at least I can sleep at night.

[0] [https://blog.torproject.org/blog/tor-
browser-703-released](https://blog.torproject.org/blog/tor-
browser-703-released)

[1] [https://hackerone.com/torproject](https://hackerone.com/torproject)

~~~
r3bl
Good job!

If it's not a secret, how much did they pay to you? Seems like this could be
considered, at least, a medium severity, and the top bounty they gave so far
is only $500. If you don't wanna disclose that, that's perfectly
understandable. I'm just curious.

~~~
julianj
I haven't received a payment yet actually -- it is still pending.

------
w8rbt
I expect two factor authentication over cellular networks (SMS and voice
callbacks) to be commonly exploited in a year. Orgs really need to force OATH
(HOTP, TOTP) and FIDO (U2F, UAF) and begin transitioning away from cellular
two factor.

~~~
ihattendorf
The problem that I haven't seen a good answer to, is what happens when (not
if) the customer loses their 2nd factor device? If someone loses their phone,
they can still keep their same number and receive an SMS verification on their
new phone. With OATH/FIDO, that won't happen.

------
Spooks
If I was WhatsApp I would offer a larger bounty. If they get the 0 day they
could fix it before it gets into the wrong hands. I would think 500k is a drop
in a bucket for them, and give them good press that they are actively keeping
up with privacy/security of their users

~~~
fauigerzigerk
If I was WhatsApp, I would offer to compensate those who have found the
exploit for their work. If someone else buys the exploit I would sue the
broker for extortion.

~~~
tryingagainbro
_If I was WhatsApp, I would offer to compensate those who have found the
exploit for their work._

Sure, their rate is $1 million an hour :).

I could see the government jump in and pressing charges but the worst thing
Whats-app can do is piss them off.

------
CleaveIt2Beaver
Interestingly, I don't see a payout linked to Zerodium directly. What happens
if someone they do business with decides they can just grab the keys to the
castle directly? I wonder if they'd bargain, or just set another bounty on the
individual or group in question.

------
segmondy
Wish someone will offer a bounty to target Zerodium.

------
tradersam
What a world we live in. I wish humanity made this turn out differently, where
digital privacy was a human right, not something worth $100k.

~~~
bluddy
I'm not sure this isn't a "good thing", to some degree. Companies like Apple
and Google offer rewards for people who find exploits in their software, but
they have little incentive to raise the reward even as the exploits become
more and more rare, and demand more time to find. This may give them the false
impression that there are no more exploits, while in reality they just haven't
incentivized people sufficiently. This company operates on the other side (of
which I don't approve), but by pricing exploits more accurately (via supply
and demand), it forces companies to raise their prices as well to compete.

In other words, this can be seen as part of the free market incentivizing
people and companies to find and patch exploits, or for programmers to just
write safer code in general.

~~~
confounded
Couldn't the same argument be made about a thriving market in ways to break
into your house at night and kill you?

~~~
conanbatt
If your home has 250 mill people using it a month, probably.

~~~
QAPereo
More like... 250m people use a given brand of lock.

~~~
akvadrako
I wouldn't trust a lock that doesn't have a $500K bounty offered for exploits.

~~~
niij
So what do you use at your house? Watching the lock pick village videos from
defcon made me realize that there are no perfect locks.

~~~
akvadrako
I use a cheap lock and don't expect it to hold up against any but the most
lazy attacks. I don't _trust_ it.

