Hacker News new | more | comments | ask | show | jobs | submit login

I have a half off topic question: how are you doing this in light of the CFAA and what happened to Aaron? I truly wonder.

I discovered the bug yesterday, followed responsible disclosure with US CERT (based at CMU, so we got things moving very quickly there), and the bug is now fixed.

If the CFAA bars legitimate security research like this, then we would all be truly fucked.

"If the CFAA bars legitimate security research like this, then we would all be truly fucked."

You must be new here. This is why we have all been saying that the CFAA is truly fucked, for many years now :)

But yes, you did play with fire on this one. People have been convicted for far more innocent activities than this. I assume you're a student or recent grad and may be a bit optimistic about the world we are in. Don't fuck around under your real name or IP address when you do this kind of thing. "Accidentally" dropping a ' into a webform just to see what happens is one thing, but you won't be able to feign innocence with something this involved. Unless you are both the client and the server, or the other party is unambiguously inviting testing (such as a bug bounty), you have no claim to legitimate security research.

It's still awesome that you found and drew attention to this. It's important work. But, cover your ass next time, or know what you're getting into. Especially hitting obscure companies like this, who notoriously exist in a culture very unlike the typical valley-type company, where such activity makes them feel very threatened and outraged, often turning to law enforcement or initiating legal action.

Also, the term you're looking for is coordinated disclosure. Do not let the vendors define "responsibility" as they have attempted to do with the injection of that term into the lexicon ;)

CFAA probably does bar research like this; your right to test something for security flaws technically ends where someone else's server hardware begins. In reality, the optics of this vulnerability are so bad that you are vanishingly unlikely to take any legal shit for it. But be careful extrapolating from it. If you have questions about the legality of this kind of testing (and you should): consult a lawyer. Small price to pay.

It's a good find. Congrats.

Wait, yesterday? And the fix is already deployed to production today? That's either some truly impressive engineering from a company that made a freshman-year-level security mistake, or whatever patch they put in place to fix this is just as leaky as the original bugged version and it's just a matter of time.

Theory: Devops disabled the security flag on the JSON API, in order to perform integration tests, then didn't enabled it until reminded.

This for sure! My theory has also been that it's possible they literally just needed to add "if (subscriptionApproved) {" to the top. Not exactly a ton of code!

They just killed the try page entirely. It's now a redirect to the home page. Hopefully they don’t try to bring that page back up without fixing all the bugs...

Why would he, (neo), have any target from the law on his back? He wasn't sharing or selling the information. LocationSmart should be the ones getting fucked.

Under the ridiculously broad scope of the CFAA, that doesn't matter. The CFAA can be (and has been) twisted to prosecute people that do anything to a computer system that they do not own if the system owner could even remotely perceive said action as harmful. It's been used in the past to prosecute security researchers for accessing publicly available websites because the website owners claimed that they weren't "meant" to be public, they were only publicly accessible to make it easier for the actually "authorized" people to access them.

Even doing something like an nmap or a simple ping against a server that you're "not supposed to" could put a target on your back from an overzealous prosecutor.

See https://www.theguardian.com/technology/2014/may/29/us-cyberc...

If we want to be really pedantic here, didn’t LocationSmart violate the CFAA? Their system queried the location of users’ devices without their consent. Does tower triangulation count as accessing the device?

I believe the flow of info goes:


The carrier determines the location of the phone because it's a cell phone. The Carrier provides the information to LocationSmart. There's no querying of the devices by LocationSmart per se.

Telecoms, not LocationSmart, are to blame here. They made an API providing access to location information without any supervision.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact