Hacker News new | ask | show | jobs
by UncleMeat 1951 days ago
No it isn’t. White hats are very careful to ensure that their work does not affect other people. “I gave the money back” isn’t good enough.
1 comments
amelius 1951 days ago
This is not always possible, however. How should the hacker have proceeded in this case?
link
UncleMeat 1951 days ago
By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.
link
benplumley 1951 days ago
If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.
link
ganoushoreilly 1951 days ago
Pushing beyond the account creation step wasn't necessary. Enabling the payment functionality is where it deviated into black hat territory.
link