The Sunny Vaghela critical patch

Sunny Vaghela’s biggest claim to fame has been his discovery of the Orkut vulnerability that got him some airtime and his 15 seconds of fame. Some basic investigation led me to find a pre-dated advisory of the Orkut vulnerability ( Net-Square Orkut advisory)  realeased by Net Square (Pallav Khandhar and Saumil Shah) on January 31, 2007, a good 9 months ahead of Vaghela’s claim of discovery of the same. Not just that, Susam Pal and his colleague Vipul Agarwal again wrote about the same vunlerability ( Orkut Server Side Session Management Error) on June 22, 2007 , giving due credit to Net-Square.

There is of course the possibility, however small, that Sunny Vaghela did independently discover this bug well after it was found by Netsquare and he is unaware of the discovery by Netsquare. And we could give him the benefit of doubt for the same.

Sunny Vaghela’s has earned the distinction of being the third Indian to feature on Charlatan list right after Ankit Fraudia and Sahil Khan, not a very great company to keep.

Susam Pal has also written about the same of his blog (The Orkut exploit). He has also posted the emails exchanged between him and I.



60 thoughts on “The Sunny Vaghela critical patch

  1. i liked your previous post also on Ankit Fad-diya 😛
    and i agree on this sunny with you 😀
    people have made hacking a business, and the sad part is that they dont even know shit of hacking.

    • thanks for subscribing, am flattered 😉 Yeah, people like Vaghela feed on the ignorance of the public and journalists. Nevertheless, they cannot continue forever. Someone or the other will surely expose them somdeday

  2. This was rather short. You had a longer, more detailed post for demolishing Ankit Fadia. Please do not starve geeks like myself, who have very little to eat to begin with. 🙂

    (On the other hand, if all this guy could do was reproduce old vulnerabilities, then there’s probably not much to write about anyway.)

  3. Also, is there any reason that his website talks about him in third person, as though he’s not written any of its content? Just curious.

    • haha..thanks for pointing it out… While the link is titled “About Me” it talks of him in the third person.. Its either megalomania or poor command over the English language or both 😉

      • ha ha ha ha.. ya that is insane.. i still don’t understand that.. why do thousands of students go and attend his so called “Hacking” workshops… and who has given him the authority to give certifications like “Certified Cyber Security Expert Version 2.0” ???

  4. Ha ha ha ha…. Just google Vaidehi Sachin aka Cat techie.

    Her blog is / and claims to be publish India’s first hackers zine… more details @

    I am eager to see your research on both Rafay & vaidehi Sachin.

    Keep Rocking..

    • thanks dude.. Rafay isn’t worth writing about. He does not claim to have done much (none that I know of). Yes he does plagiarize others articles on his blog and thats pretty much all one can dig up on him at the moment. So unless Rafay plaigiarized something big, its not worth my time, attention and sarcasm 😉 Will have to take a look at Vaidehi Sachin though

      • Yes u r right. Only one blog and book. No big claims…

        But you must keep your eye on CAT. You will be amazed that she had 10+ fake profiles on FB. High profile fake claims. For more you have to digg on her FB profile and blog. Also do not forget to download INDIA’s FIRST HACKERS ZINE’s OLD EDITIONS…..which are copy paste from internet he he he he he…….

  5. Nice article …Don’t waste time on rafay becoz he is one who is trying to sell warez stuff 😛

    And Yes , write something on CAT …But after writing article you have to deactivate ur facebook account(if u have one ) due of her new methods of abusing (fake profiles)..

    • Nah I wont remove my FB profile..If anyone creates a defamatory profile on my name, I will simply lodge an FIR with the nearest police station. Lets see, how one can avoid getting detected by ISPs. Should be fun

        • I think she has been demolished already.. I wrote about Fadia coz ppl used to ask me about Fadia and I had to explain them the same things again and again. I wrote about Sunny coz I got pissed with him. After I had mentioned Sunny’s name in passing in a few comments, some of his fans (and probably he himself under fake names) argued with me on my blog. Also Sunny passed threats of suing me hrough common contacts if I did not remove my comments about him. That pissed me off seriously. Otherwise my time is way too precious and I dont want to waste time on them. I would much rather get some sleep. Vaidehi can live in her dream world and play ‘hacker hacker’. But thanks for the link It was fun reading.

  6. lol, you know who rafay baloch is, he is one of the best Ethical hackers around and I guess you are jealous by his fame and sucess…No one writes better stuff than rafay, and ankit fadia what facts do you have that ankit fadia is not a hacker?

    • Yeah I know who Rafay is and may be for your level of computing skills, Rafay “is one of the best Ethical hackers around” [sic]. But thats not my assessment. As for Fadia, if you learned to click, then the two links to posts about Fadia are posted on this very post itself. You might wanna peruse them.

      And yeah, you are so right about the jealousy bit. Damn, I am burning with jealousy :p lol… Take a hike mate

  7. Yeah, Both Ankit Fadia and Sunny vaghela are really peice of crap, I really appreciate your skills you have exposed their reality, About rafay I don’t know much about him, but I am a regular reader of blog, I hate to say but he writes really good stuff, I hate to say but he is really good….

  8. Just wanted to ask you one question…Do you know sunny personally? Have you attended any of his programs?

    He generally conducts 2 Days workshops not just over hyped seminars like Ankit Fadia.Well,I have attended one of his program at NIT Bhopal & it was really good start for me to explore my skills into hacking field.One thing i really liked about him that he has not used any tools during the workshop.All the demonstrations were given using browser & manual scripts.

    You probably won’t get more comments to this post compared to fadia’s post.Thats what i can say.

    • Well Abhinav, I don’t think I need to be buddies with anyone to comment on them, do I? So yeah, I do not know him personally. I think you are unable to grasp the severity of plagiarism; its not some engineering assignment that you can just copy (though that would be unethical as well) it much more severe. And Sunny went to the media claiming it was his work. In the tech community, people publish a lot of things in the free domain with good faith hoping that anyone using that work or building upon it would give credit where it is due.

      I am not sure what he did in that particular workshop but a few about which I know, he did use Metasploit extensively. And metaspoilt is basically point and click cracking; in short its lame. Its not hacking by any stretch of imagination. His site also makes mention of metasploit and he also gives degrees these days. Tell me one patch, vulnerability update or even metasploit script that he has submitted so far. I rest my case.

      As for comments on this post, well I don’t earn money from the comments so I don’t care.

      • Sandip, It seems like i need to intervene….What my question is that “Does he really know how to use metasploit???” ROFL 😀 that’s way beyond his knowledge.

        Appreciate your stuff…Need more

  9. As far as advisories are concerned,He submitted advisories to many government departments like Cybercell Mumbai,CBI & also GFSU Gujarat recently..He knows me personally..What if i can help you out to get those advisories with POC??

    • Thank you for the offer. But 2 things first

      1.Well hackers discover bugs they report to the software/hardware manufacturers or publish an advisory on their site or post it on buqtraq. They don’t usually go to the cops because the cops aren’t capable of analysing computer threats. Also I not sure of the nature of the advisories, are they zero day exploits or are they mere dos and donts of cyber security for the cops

      2. Nothing changes the fact that there may have been plagiarism. Even great authors have had to pay hefty price for plagiarizing.

  10. I don’t know exactly but these advisories may contain details about vulnerabilities of their websites & their critical infrastructure..Its not about zero day or common vulnerability but the most important thing is to report them.

    Tell me one thing,whats your take on hackers publishing many advisories on exploit-db regularly?

    • Well so the advisories you are talking about must be relating to vulnerability assessment of their websites or networks etc. As for publishing advisories on exploit-db, thats pretty routine for hackers and it helps everyone a lot. So yeah, its a good thing.

  11. If he has helped them assess their vulnerabilities Don’t you think “it helps them a lot. So yeah, its a good thing.” .. ???

    Don’t mind but trying to give answer in your words..

  12. Now Days You Have Automated Tools …U just Click And they will Genrate report for u ..

    So whats spceial ..copy paste website url scan ..and in 20-30 minutes we can get a full report …So whats Big deal …(All know how to edit and add ur name to report )..

    And About seminars…they doing same things from 1-2 yrs …same victim websites …same softwares to reverse ..i

    practice matters 😛

    If u like his seminar then attend his seminar twice …and honestly tell what is diffrence b/w first and second ..waiting 😛

    • You are right prctice matters but for your information, He is not conducting seminars like Ankit Fadia..its 16 hours hands on workshop at my college..I have attended both the levels of his workshop & it was worth spending 1000 bucks.

  13. I Dont mean Fadia vs Sunny workshop..I mean diffrence b/w sunny’s two workshops.
    They done same things in every workshop(may sites differ…finding sql injection vulenrable sites is not big sql injection sites may change)..But other thing remain same.

    even check the wording …they use similar sentences ..

    I mean to say he dont do anything new…he just learn more than fadia and repeating that things again and again.

    Also satisfation from workshop depends upon person to person ..may be he is ur ideal person or brother something…or may be u have futre plan to join his company or start seminar thing on ur own.

    But i just mean to say giving seminars can make u a good speaker, but not a gud security expert.
    Hope u getting me 😛

  14. Looking at whois info of his official website,I really don’t think that he would need any free hosting service provider to host his website..

    Are you sure that own by sunnyvaghela..??

  15. Read my comment carefully..I asked “Are you sure that own by sunny?”

    Attrition posted screenshot of & i really don’t think that he would need any free hosting provider to host his website.

  16. Do you guys know that Sunny Vaghela was s student of Ankit fadia once. In a “Ankit Fadia Certified hacker” program. He could not get the certificate though, because he could not pass the exam. 😛

  17. @sandip- very good post and i yesterday read ANKIT FAD-DIYA it was awesome… i too agree that a such business gimmick wont last long. I am a cyber security consultant and i have cleared it from GFSU. I dont thin that GFSU needs any help from either sunny vaghela or fadia… I know the guys who teach there and believe me they are very brilliant. The scuentific officer at GFSU in Computer dept. is a very bright and intelligent guy. Infact, the cases all over the state and other regions in india come to GFSU for cyber forensic analysis, they dont go to other parties. and they are successfully analysed. So, if any self proclaimed hacker tells that he has helped Gujarat police crack case that will be unlikely.
    Say, if i know some IAS/IPS officer and with his help conduct awareness seminars for police officers then this doesnt mean that i am assisting gujarat police in their case. I am infact gathering popularity for my business-simple as that.
    The course offered by Sunny vaghela / ankit fadia. I have dwnlded the fadia’s book- its a piece (PISS) of shit.
    and as for the vaghela’s stuff its all based on Backtrack i have seen it when i visited a education fair 1 year back at ahmedabad.
    well, we can find tuts of BT and Metasploit freely on web. I myself have full tutorial(tut) of Metasploit. and BT.
    i have no offence for sunny vaghela, but i dislike the fact that do not mislead anyone of prolcalim as greatest.
    “the best hacker always keeps on learning”

  18. @sandip: In this fake world, its really difficult to find a right person. Can u help me find a proper tutor for learning hacking tricks?
    Though I assure you I won’t plagiarize after I have learnt or have intentions to take it as my career to teach, but I would genuinely like to help society silently. So are there any good institutions left who has genuine content and tutors?

    • to start with, go with CEH, it would give u good concepts in security. and yes, this is an evolving line so, all u need is to have good grasp of concepts on how networks and webapps work u can have your own way to bypass security mechanisms, do not take it as a course in hacking, better to take it as a means to innovate.

  19. could you please suggest me ,i want learn ethical hacking and security then which institute/compony/workshop shoud i join???

  20. I’m a student at Techdefence (Sunny Vaghela’s institute) and it kills to hear such hate comments against him. I’m highly disappointed.

    • Hate? I don’t know him personally so question of love or hate doesn’t arise. I also don’t care about any of this enough or have any anything to gain by lying. I just presented the facts of the case as they are. Whatever you learnt there can be easily learnt from the internet. You wasted your time and money. Good day.

Let me know what you think

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s