[gknoy]

I don't think that the author violated the CFAA, though: in both cases, he was acting on behalf of his users that he had created in the system -- the same requests he would normally make when using those accounts. ("BobAtHome", "BobAtWork" could concievably be two accounts for Bob.) That seems substantially different than what Weev did, which was try to read ${Everyone}'s data.

[meowface]

Moonpig.com is not an application you run on your own computer, though, it's a service operated and hosted by Moonpig. Any tampering with that application in a way that's not intended is a violation of the CFAA.

As you and I have essentially both just said, it's very unlikely there would be any prosecution due to the facts and the researcher's intentions, but I think it is still a technical violation. Paraphrasing, but the first line of the CFAA is "having knowingly accessed a computer without authorization or exceeding authorized access" (that line is explicitly for access that could jeopardize national security, but it goes on to set similar limits for general unauthorized access of any entity).

In this case it is not necessarily unauthorized access of a customer's account, but unauthorized access to a component of Moonpig's system.

[richardwhiuk]

That's difficult to argue given the app underlying it knowingly makes these requests.

It's arguable that he could be reverse engineering the API to make a compatible client - I think that should be legal, although IANAL.