FWIW, I would probably have done something similar to them before I'd worked in the security industry. It's an easy mistake to make, because it's one you make by default: intellectual curiosity doesn't absolve you from legal judgement, and people on the internet tend to flip out if you do something illegal and say anything but "You're right, I was mistaken. I've learned my lesson."
To the author: The reason you pattern-matched into the blackhat category instead of whitehat/grayhat (grayhat?) category is that in the security industry, whenever we discover a vuln, we PoC it and then write it up in the report and tell them immediately. The report typically includes background info, reproduction steps, and recommended actions. The whole thing is typically clinical and detached.
Most notably, the PoC is usually as simple as possible. alert(1) suffices to demonstrate XSS, for example, rather than implementing a fully-working cookie swipe. The latter is more fun, but the former is more impactful.
One interesting idea would've been to create a fake competitor -- e.g. "VirtualBagel: Just download your bagels and enjoy." Once it's ranking on Google, run this same experiment and see if you could rank higher.
That experiment would demonstrate two things: (1) the history vulnerability exists, and (2) it's possible for someone to clone a competitor and outrank them with this vulnerability, thereby raising it from sev:low to sev:hi.
So to be clear, the crux of the issue was running the exploit on a live site without their blessing.
But again, don't worry too much. I would have made similar errors without formal training. It's easy for everyone to say "Oh well it's obvious," but when you feel like you have good intent, it's not obvious at all.
I remind everyone that RTM once ran afoul of the law due to similar intellectual curiosity. (In fairness, his experiment exploded half the internet, but still.)
I really appreciate your comment and hope it's OK that I added it here: https://dejanseo.com.au/competitor-hack/#shawn
Also, don't worry too much. I think everyone knows your heart was in the right place, and ultimately that counts for something.
You should consider security as a second career if you ever get bored with marketing.
Well, he wasn't running it on someone else's site, right? All the code ran on his site, so at worst he was guilty of trademark infringement or — if he copy-pasted HTML or rendered the same text — copyright infringement (which he could have avoided by just being a proxy to them, I think).
Or did I miss something? It doesn't sound like he did anything to other sites themselves.
To the author: an alternate ending to this story could have been “competitor found out; flipped out; forwarded this to their legal department; your next two years are very unpleasant, even if the lawsuit ends up settled.”
That’s the main reason why you want to get permission and make everyone aware before doing this.
Here’s a small example: at Mtso a coworker had been running a netpen against a certain well known company. They managed to pivot into their network and eventually onto dev workstations. Last I heard, they were grepping through devs’ home dirs looking for admin keys and such, to see how far they could go.
The difference between that situation and this, is that at every single step of the way, Mtso was in constant contact with the target company and the higher ups knew exactly what was happening as it happened. The target company wanted to know how far we could get. After all, that’s what they were paying for.
(Red teaming is even cooler — it’s that, but breaking into buildings.)
But when you’re an outsider, you don’t have any institutional protection. So it’s doubly important to follow standard procedures (see Hacker One for examples).
I thought of a rule of thumb: if you’re getting information from a PoC that might benefit you / your business, it’s not merely a security PoC anymore. It’s an active exploit that you’re benefiting from.
But again, it’s an easy mistake to make without thinking carefully.
Do you have any idea how patronizing your tone is?
(I meant formal security training, FWIW. Also I know that feeling of "Oh boy, I just pissed off the internet, didn't I?" and wanted to remind him it'll blow over soon. It's not a huge deal, and he'll come out of it with +reputation.)