The last time Hackerfall tried to access this page, it returned a not found error.
A cached version of the page is below, or click here
to continue anyway
Critical Security Issue: "Error138" Backdoor Issue #24 WhiteHatSecurity/Aviator GitHub
Well, here is another interpretation of how Aviator made it to GitHub, to be an open source tool.
Or at least an hypothesis with partial proof and some educated guesses.
It's not meant to be an attack or an attempt to hurt anyone. I just want to understand how it came to this point and therefore share my thoughts and research results to be debated or disproved.
Oh, and admittedly my assumptions are opinionated as I am a bit upset right now.
- About 1.5 years ago, some folks at WhiteHat Security came up with the idea of building/branding a browser
- Codename for that project is "Champion". (see Aviator sources)
- Focus of that project would be privacy and security as this matches WhiteHat's other product lines.
- The future business model behind it would be a paid premium version of the browser. Source
- WhiteHat get Robert Hansen on board for he is known to have a good background in web- and browser-security Source
- The idea gets fleshed out and WhiteHat Security starts looking for a contractor to build the project with.
- They find Photon Infotech from Chennai, India. Website, (see Aviator sources)
- The first versions are built and released, renamed from "Champion" to "Aviator".
- Someone decides to call it "The Most Secure Browser Online" Proof
- In early 2014, the "Error138" is reported and disclosed first time. The one that is now an RCE. Tweet (as asked for here, there was friendly mail contact, not just the tweet)
- Selfies with cool aviator shades appear online. Tweet
- The level of Aviator's success however is low, not too many users download and actually use the tool.
- Still, WhiteHat has to pay for the development. Which is indeed ongoing. Proof
- Meanwhile, there's about 500 changes to the original Chromium code Source
- An audit or anything else direction reasonable security program never happened. Too expensive. No actual ROI. (well, see Aviator sources as a proof that no audit happened)
- At some point the bills just become too much to pay, the money simply burns and nothing comes back.
- Meetings are held, people wondering what to do now.
- An idea develops. Aviator could be open sourced! That would mean no bills anymore and failure can be blamed on the community. Especially if bugs don't get fixed.
- So, the community would be responsible for a branded WhiteHat Security product. And everyone wins. Well. Only WhiteHat. But still. (see comments on this ticket)
- That however did not work out and a shit-storm happened. Source
- Followed by a blog post blaming Google for being so rich. Source
Other points about Aviator, the mediocre code, the lack of a security bug tracker, no security response process, no technical documentation and the lack of anything else that is recommended if not even required to create and maintain a security critical piece of software are speaking for themselves.
I believe, that Aviator was meant to be a marketing tool that turned out to blow up and backfire on its creators. Aviator claims what it cannot deliver - "The Most Secure Browser Online". And now a blame game is being played to do reputation damage control.
So, to wrap it up and connect to the comment by @DinisCruz, I don't see any altruist move here but a simple and failed attempt to do financial damage control and claim to have done something good while actually throwing off baggage and hiding the fact that Aviator is a dead horse.
I may be dead wrong with all these assumptions. Please challenge them or shout at me or do whatever you feel is adequate :)
Continue reading on github.com