[cookiecaper]

IANAL either but my understanding is that you can be prosecuted under U.S. law for poking around on servers in any unconventional way. The text of the CFAA forbids "unauthorized access" or "exceeding authorized access".

I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).

At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.

[nickpsecurity]

"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."

BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.

[emodendroket]

It sounds awfully close to what got weev sent to jail.

[cookiecaper]

This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:

1. conspiracy to access a computer without authorization

2. fraud in connection with personal information

This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.

Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.

According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).

I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.

Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.

Again, not a lawyer.

[0] https://www.eff.org/document/criminal-complaint