He confesses that it was a black hat "proof of concept", but he's refunded the money and reported things to Patreon.
Patreon, and ANY website that has user's profiles as permalinks, should reserve ANY account name that has been deleted to prevent squatting.
I'm not sure how this works with the right to be forgotten laws though; I have a gut feeling that you can have your profile deleted and the leftover URLs and permalinks just go to 404 or other kinds of placeholders.
Then you are leaking info about previous (or private) existence of the resource. If I recall correctly github does 404 for existing private repos, for example.
The writer at the end refunds the money and messages Patreon to fix the issue, I think that would go massively in his favour in the rare change it ended up in front of a judge.
I was going to leave this alone, but it's important to point out this is not white hat..
This world still be black hat (or arguably grey hat)...
White hat would have been realizing the possible problem and informing the company without actually making the account (or, with only making the account or prove the link, but not taking money from anyone)
You could possibly argue that if the author "cheated himself" only, that's okay... E.g. paid themselves through patreon... Assuming the author eats the cost difference and doesn't refund.
The author actually defrauded unaware visitors, intentionally, he has caused harm to them, patreon (financially or good will/name), and the money transfer networks; this is at a minimum grey hat... Sure, the end user donating was made whole, but other business entities were harmed... Someone eats that transaction fee.
By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.
If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.
Legal consequences aren't the only form of consequences. In this post the author mentions their (legitimate) business.
If I was a potential customer looking into said business and found this post I would be very offput by the lack of morals. The strongest condemnation we receive for literal theft is they "didn't want to", the author barely even seems to understand why their behavior is immoral.
Did you read the post to the very end?
I don't see anything immoral, he just spotted a weakness in Patreon, warned Patreon and wrote a blog post about it. Nothing wrong here.
The author makes no mention of warning Patreon about this weakness, unless you're counting this blog post as the warning.
They clearly attempted to impersonate the original owner of the page, using a description and artwork suggesting they were the original owner.
The second to last paragraph features the author fantasizing about how much money they could make by defrauding people. Quote: "This plan could be pretty profitable!"
Like yeah, in the end they took down the page and refunded the patron. But the author made the wrong choice at essentially every step prior to that moment.
The author didn't just "spot a weakness in patreon", they attempted to (and managed to) commit wire fraud. The fact they had little success and later returned what they stole is relatively little consolation.
Not as uncommon as you think. Many people realize without knowing much about the law that breaking the law can be a great business plan. They just converge upon ideas that are illegal naturally and unperturbed by the potential problems.
Ironically this is also a bit of an entrepreneurial advantage. A trained corporate management drone will be aware of all the bad things that can happen and has been paper trained by lawyers to be frightened of doing anything illegal. The sweet spot is when it's something that's just slightly illegal or just a matter of civil law, but the danger zone is in something like this which is just fraud.
I am just saying that in security, while it can be very difficult to always find where the line between ethical and unethical conduct is; and what will get a company to pay attention to an issue without getting yourself arrested;
What I AM saying is that this person blew so far past that line that I wonder if they are even aware that one exists.
All without even considering that, maybe, "that time last week when I committed wire fraud" probably isn't the best topic for a blog post.
Do I think that the author was acting maliciously or in bad faith? No. But the US justice system has a really nasty habit of not taking facts like these into account; as Aaron Swartz tragically learned.
Tl;dr "it's just a prank, bro" is not an effective legal defense, and prosecutors fucking LOVE convicting hackers.
Why fraud? If we are talking about criminal law, the requirements to convict a person are strict. In this case the author has not claimed neither on Patreon or YouTube to be someone he is not. He has not falsified any data/documents and has not stolen any account, since the one he claimed was available.
Sketchy? No doubts. Fraud? Doesn't seem like it at all.
In the UK it could be technically counted as fraud by false representation. The legal hurdles for this are:
* The patreon page was misleading (this post shows it was, including the use of old links and imagery to show association to a YouTube channel which was false)
* The person making it knows it might be misleading (they did - they said so in this post)
* The intention was to make a gain in money for themselves, others or to cause a loss to someone else. This includes situations where the gain in money is only temporary (again, technically yes.)
I'm not saying they should be charged with it as clearly they didn't mean to cause harm and were doing it to raise awareness, but it does seem to fit the definition.
Patreon, and ANY website that has user's profiles as permalinks, should reserve ANY account name that has been deleted to prevent squatting.
I'm not sure how this works with the right to be forgotten laws though; I have a gut feeling that you can have your profile deleted and the leftover URLs and permalinks just go to 404 or other kinds of placeholders.