

Ask HN: I've reversed-engineered a private API, now what? - nnd

I&#x27;d like to discuss the ethical aspect of using a private API.<p>I was able to reverse-engineer a secure HTTP API of a website with over 10 million users to enable access from third-party clients (one has to authenticate with their login and password). This hack allows you to access you own data on the website, that&#x27;s it, there is no malicious intent.<p>I have several options here:<p>* publish it on a popular blog and wait for the company to act on this (they probably won&#x27;t be too happy)
* report the vulnerability to the company, and when the fix it, publish the information<p>I really want to publish this hack, as it could be useful for others to learn how to reverse engineer APIs, and I also believe there is no reason why said API should be private in the first place, they should open it.<p>What would you do?
======
dberlind
Wow, this is a great question. Over at ProgrammableWeb, we have seen A LOT of
unauthorized APIs turn up over the years. In fact, when we've discovered them
and added them to our directory, we are sometimes asked (occasionally
threatened) to take down our directory entry. These APIs are sometimes
developed via the scrAPI route, while other times a debugger as been used to
watch what a native mobile app does, while still other times, the service
provider has simply divulged WAY too much in their client-side Javascript.
However it was done, I agree there is a moral dilemma.

If I were to make a suggestion, it would be to report it to the company so
that they can learn about how to better secure the API from your hack. I think
that outweighs the efficacy of publishing the API to the public. But I guess
it depends on what you're looking for; notoriety in the hacker community (you
can't put that Pandora back in the box) or a reputation for discretion. Either
one will get you credibility. Just in different forms.

One additional option would be to write about how you did it as sort of an
instructive piece to hackers and service providers alike (perhaps anonymizing
the service in the process). If this is something you are interested in doing,
I would gladly pay you for the right to publish that article. Let me know.

David Berlind Editor in Chief ProgrammableWeb

------
charlesdm
Where are you based?

In the EU, this isn't a problem. You're free to reverse engineer the structure
of APIs/protocols/data formats to integrate third party apps with it.

Morally, I don't think there's a problem either. Heck, you could build
something cool on top of it. That's what I would do.

I don't even see reverse engineering APIs as a vulnerability. A ton of APIs
(i.e. used in mobile apps) can easily be reverse engineered.

------
justinsb
What is your goal? It sounds like the moment you publish, you expect the
company will close the API. So you will actually be blocking third-party
clients.

How about making your own third party client, but not publishing the API
details until they are closed?

