Hacker News new | ask | show | jobs
by zozbot234 236 days ago
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
3 comments
iancarroll 236 days ago
Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

link
bitexploder 236 days ago
Without any sort of formally posted bug bounty program explicitly authorizing this sort of activity the CFAA prohibits unauthorized access of "protected computers". I would classify this as legally risky. If FIA had a stick up their ass they could definitely come after the researcher. The researcher's ethical standing is pretty clean in my book, but this was definitely a little more than just changing a URL parameter (only a little more). I would say this is unsafe to do if you are in the united states. The stopping point was somewhere around "I think I could provide the admin role" and reaching out to the best contact you can find and say "Hey, I am an ethical white hat security researcher and I noticed X and Y and in my experience when I see this there is a pretty reasonable chance this privilege escalation vulnerability exists. The chance it exists is high enough in my experience that you should treat it like it exists and examine your authorization code. If you would like I can validate this on my end as well if you give me permission to examine this issue. I am an ethical security researcher" ---> point over to your website and disclosed issues if you got em. To just do it is ehh... I would not take the risk. However if I /did/ do it I would definitely disclose it to them immediately and give an explanation like the above. Shooting the messenger in this case would be pretty asinine, especially if they didn't access anything sensitive, that would preclude FIA from having any evidence you did anything sketchy (cause you did not). The reason I would not do it is because you never know if a system like this pre-fetches data, etc. and that is definitely opening you up to liability of possessing PII etc. Overall, I have disclosed issues like this in the past without actually exploiting the issue to good results. Some times companies ignore it. You can always say "If you do not want to treat this issue as a vulnerability I am going to write this up on my website as an example of things you should probably not do" if you feel ethically compelled to force them to change without actually exploiting the issue. People tend to get the message and do something.
link
squigz 236 days ago
I'd highly recommend adding some newlines to such comments. Walls of text are not fun to read.
link
trollbridge 236 days ago
... so you'd prefer that the only people doing this will be black-hat hackers who then sell the information on the black market?
link
array_key_first 233 days ago
I think nobody does, but ultimately our laws are stupid. The CFAA in particular can be unfairly weaponized to make examples, and can put people in prison for DECADES for activities that don't warrant such a response.
link