After I shopped a few other companies to see how our plans compared, I notified the marketplace operator via the only link on the website for customer service. Within about an hour, someone from their IT department rang me on the phone and started grilling me about how many other plans I browsed, and insisted that I clear my cache and browsing history, and notified me that they would be watching to make sure nobody at our IP address didn't access any other plans while the issue was being fixed.
I was pretty surprised at his response, and assumed they would be more grateful for exposing a pretty basic flaw, but I guess a natural human tendency in these situations is to try to externalize the blame. Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.
Which is a fascinating discussion, but has nothing to do with the case at hand which is where the underlying html on a publicly accessible search result page contained SSNs of the teachers returned in the search.
All the analogies about ‘it’s like asking the IRS for another document’ are all wonderfully applicable to this comment, but not remotely applicable to the actual article.
But the shoot the messenger aspect of reporting vulnerabilities is also very relevant. It’s just the nature of forums like this that some things bubble up to the top and dominate the discussion. Hard to say it’s your fault for retelling a story.
EDIT: Remembering it now, there were also email addresses with the Iranian navy as they coordinate with other navies to fight piracy too. Perhaps instead of sending a Rickroll I could have sent a mass email with Lennon's "Give Peace a Chance."
And they may also hurt him.
An IT employee who doesn't know about VPNs. Sigh.
The network team could not work it out. The vendor could not work it out. But one of the IT managers had an explanation: me. Firstly, it was due to an OpenVPN I installed on a server (with permission-as a stopgap measure so we could remotely access the “next-gen data centre” because the networking team was taking too long to get the real VPN installed and it was blocking other teams on the project.) The explanation didn’t make any technical sense: the VPN is just an application, nothing to do with the core routers; but he wasn’t technical enough to understand that. They told me to shut it down, so I did (even though doing so inconvenienced the project), and lo and behold, it made zero difference to the problem. Then, he apparently even suggested at a management meeting (I wasn’t there but I heard about it) that I was sneaking in to the data centre at night or on the weekends to sabotage things, and that was why the new routers didn’t work. Apparently they even asked campus security for my physical access logs, which revealed I hadn’t been doing any such thing.
Eventually, the vendor worked out the problem. When you install the router, there was a step you had to change the VRRP IDs to give every router a unique ID on the network. Clearly explained in the documentation, obviously essential, apparently our networking team didn’t read that part. You plug one new router in, everything is fine; plug the second one in, well it still has the OOTB default VRRP ID, so now two core routers on the campus network have the same VRRP ID, and all the other routers got confused, and the whole thing fell apart. Both our networking team and the vendor’s support team were so focused on chasing some obscure bug they didn’t see the basic config issue.
If you wind up putting your tax returns in the 'little free library' you set up on your front yard, you can't blame others for reading them, then handing them back to you and not telling anyone else.
That's the proper analogy for what happened in the original article.
Like sure I’m accepting a
risk that you could do that but you’re still a dick if you actually do.
Publishing to a public web server is analogous to that little free library, out in the yard. No keys, anyone can look in it at any time. If you accidentally put something sensitive in there, where anyone can see it without any access control, you can't blame them for doing so.
It makes one wonder if this is the case with the healthcare site you used, and whether or not this outsourcing of dev is common practice among government vendors? If so, it seems that we can only hope for something to fix these situations, given that government seems to only care once shit hits the fan
"We investigated ourselves and found ourselves clear of any wrongdoing."
So I'm hopeful that the courts are slowly starting to wisen up in that respect.
He's also a neo-Nazi and white supremacist. I do believe in free speech, but some of the things he does seem to take it way too far.
And he famously doxed Kathy Sierra, a female technical writer who created the Head First series. I actually quite like some of the books in the series, and it's incredibly sad to hear incidents like this which actively discourage females in tech.
I suspect there's more to the AT&T incident than just, oh, I found a flaw, let me responsible report this to the relevant parties in responsible disclosure.
"Yes, I'd give the Devil benefit of law, for my own safety's sake!"
And it should be noted, that weev's turn towards overt neonazism (rather than just antisocial trolling) took place in prison, where he was mistreated.
I once infiltrated some of the IRC channels he used in 2010 or so and have logs of him saying extremely antisemitic things in earnest.
(The groups I infiltrated also doxxed people and used that information in smear campaigns, which is why I'm using a throwaway for this comment. I checked HN's rules and guidelines and couldn't see anything against this; if I'm wrong about this, I apologise.)
It's pretty obvious that when you find a flaw you simply don't approach the people responsible for it, unless they have an EXCELLENT reputation of dealing with this. Otherwise do an anonymous full disclosure (edit: if you have an entity that routinely handles this sort of thing and has an EXCELLENT reputation, that would work too). If nothing happens, provide a PoC.
Of course people, even in IT, are kind of weird here. Somehow responsible disclosure got into people's minds as The Good And Proper Thing to do, and full disclosure being somehow irresponsible. Analogy: Some guy finds out the mayor is completely corrupt or does some illegal stuff. What do you do? a) Disclose this through e.g. the press b) Approach the mayor and try to get him to fix his stuff. Somehow, when it comes to IT security, people wanna see hackers do b) because a) would clearly be irresponsible. Wtf?
She used responsible disclosure to let the CDU know of this flaw, got sued in response.
After an outcry from the community the CDU apologized to her and retracted the complaint and the proceeding was suspended in the end of August 2021.
It's pretty sad to see how people who act upon their best intentions, intentions which are beneficial to the society, are hit so strongly by those who are afraid to admit that they made a mistake. Hit in such a manner, that it tears apart the daily routine in a very negative way for months.
You are correct that they did not hold an absolute majority (more seats than everybody else combined), ensuring that they always had to form a coalition to achieve that.
Nevertheless, it might be better to use unambiguous terms like "plurality", or define ones terms, when writing for an international audience.
Huh? This analogy doesn't really make sense. The difference for software is extremely basic: if you publicize a vulnerability immediately, you give more opportunity for it to be exploited while it's being fixed. Malicious actors who hadn't found the vulnerability yet now get it handed to them on a silver platter.
Private notification simply gives the operator a head start on closing the hole before it's more widely known by potential attackers.
Again, it's not about Optimally Mitigating Corporate Security Fuckups, it's much more basic than that: it's about keeping you safe. This should obviously be priority #1. Anyone telling anyone else to do responsible disclosure by default because That's What Good Guys Do And You're Not A Good Guy If You Don't is quite clearly not putting the safety of the reporter at #1.
if it’s live it’s already being exploited. simple principle, but very effective.
OR let us reverse the analogy
You find out Facebook is running an international slave trade by using their data to find vulnerable teenage girls sending them invites and then kidnapping them.
Do you A) approach Facebook and try to get them to stop their practice B) alert everyone immediately.
The answer is you alert everyone immediately because Facebook in this example is doing corrupt and illegal things. There is a difference in how you should react concerning security problems that others can take advantage of and willfully committing illegal and corrupt acts.
At what point does it cross the line into IT malpractice? I would say that not even bothering to verify the current user has the access to view what is being requested is well over that line.
When you're dealing with PII, HIPAA, etc, there should be a standard level of competence. If I go into a doctor's office with a runny nose, and they remove my liver, simply stating that they practiced medicine "poorly" shouldn't be a defense.
Perhaps responsible disclosure could pass through his entity?
It's a way of anonymising the source to keep them safe, and centralising the risk to someone who is already highly regarded by companies and governments.
Something shouldn't have to be literally illegal to be considered shitty behavior. (Of course, people are often incentivised to be shitty, which is why legislation should also be applied to the issue)
Incompetence is very different than malfeasance.
Large governments and corporations are not your friends. They will hurt you if it benefits them, often very short-sightedly and regardless of the root problem. There are far too many articles like this one to think "responsible disclosure" is a safe practice. I remember one case where the red team was hired by the agency involved explicitly to perform pentesting, and when they found a vulnerability the government pressed charges!
If the case you’re remembering is the one where the red team assumed (without asking) that physically breaking into the courthouse at night was “in scope” of their engagement, I’m of the opinion the short-sightedness there was not the agency…
It’s _maybe_ grey area. But there’s no way I’d escalate a pen test to breaking in to a courthouse without explicit in writing permission from someone clearly authorised to give it, including in writing assurances that all relevant law enforcement had been notified (at least at high levels, if part of the authorised physical pen test was actually testing on-ground law enforcement capabilities).
They did fail to verify that law enforcement was aware (the client specifically asked them not to) and they seem to have misunderstood the building's ownership structure. The end result was that they fulfilled their contract and were arrested for it after encountering one idiot with power, after which the local politicians piled on in order not to look weak.
If one contacts the corrupted major for a timed disclosure, he gets time to hide crimes or can continue being corrupted, but the press running the story only damages the major.
If I run to the press with a vulnerability, everyone is empowered in exploiting it. Sure it puts lots of pressure on the devs, but devs can only work so fast, which creates a window of opportunity which damages both them and their users. A timed disclosure doesn't prevent exploitation that's already happening, but doesn't increase the problem by itself
The desired outcomes in the two cases are different, and it's no surprise different strategies are optimal.
Sadly, time and time again, what in practice ends up happening is the window of opportunity is wasted by the devs being instructed to work on new features rather than fix critical security bugs the company thinks are not widely known.
Apple’s response to four zero days being only the most recent high profile example of that.
If changing a few characters in a URL was a crime, I'd be gone for life.
edit: and, I'm using "normal" in the same sense as the comment I was originally responding to: to indicate an everyday occurrence
Instead of a normal company having a bug bounty and sometimes even with cash prizes.
Do you think google "will watch your IP" after you reported a bug? or will they give yo money?
What helps in the short run? and what helps in the long run?
I honestly think they'll do both - but they won't tell you they're watching your IP because it's needlessly antagonistic.
Proper response would have been "Wow! Thanks!" and at worst "Please don't share what you saw, and thanks again."
They should check their own logs instead of relaying on a 3rd party that may not tell the truth. This shows incompetence.
Each time a breach like this or in the original post happens, it makes me feel that our tools are just not there yet. If there were simple tools that caught vulnerabilities like this we would improve the standard of security.
I think as soon as anything healthcare adjacent comes up most people will feel the need to get very nosey about what you accessed. It's possible they would have needed to file an incident (though, honestly, they should've regardless of what the reporter responded with) and gone through some procedure.
It's unfortunate the guy was a dick about it - but asking the extent of the data you accessed probably isn't unreasonable and may have been legally mandated.
There's no way I'm telling them I did that, haha!
Rule 1: Never tell people they're making a mistake unless you trust them to trust you.
They are scared because their leadership is likely also afraid - and so unable to provide protection by taking responsibility.
This is the vibe of an organization where mistakes lead to blame and punishment instead of quick resolution and learning.
Your own outrage to your data being exposed would have been perfectly reasonable.
I would have thought using incrementing IDs in a URL was as beaten of a dead horse as sanitizing your strings in a SQL query. Then again, ACA websites behaved as lowest bidder was selected.
A friend of mine bought a book online, that was just a link to a pdf in an S3 url.
I chopped off the /book.pdf part, and it was just in an S3 bucket with all the other books they sell.
Oy vey, that was a mess though. Breaches happen, everyone knows it, even companies dealing with PHI that are beholden to crazy HIPAA fines. My report ended up conflicting with a bunch of dates a former supervisor, who at that point wasn't even involved in the department, had knowingly misrepresented to the state. After the fix was merged and I documented the whole scope of the breach, I go and look at the emails and reports on the matter. She's gone told the state all about the scope of the breach, misquoted release dates of the fixes, just minimized a bunch of things with which my report directly conflicted. This person who wasn't in our department anymore shouldn't have even been involved in the first place, yet here I am looking at publishing a report that'll land her in trouble. It put me in a difficult spot. I didn't want to get her in trouble and I thought about misrepresenting my own report. In the end I figured she made her bed, my report was the definitive statement on the matter and her emails were largely reactive so maybe they'd just forget what she said. It was, and they did.
The most important thing you need to do during a breach is be honest. On the other end be vocal and trust in the fact what you're doing is ultimately helpful. The government doesn't want to fine businesses. The only thing that'll end up screwing a company is if they're found to be negligent or dishonest. Negligence is easy to avoid because all you need to do is reasonably try to fix the problem once you've been made aware of it. Dishonesty on the other hand is a foot... that like a diaper-bound chubby baby, some people can't help shoving into their mouths. Don't throw IT under the bus though man, even if that guy on the phone was rude there were some good people on the matter. Some people just don't know how to act when they're caught up in a problem.
What you did was walk down the block, pull on the doors of random houses, and if you found one unlocked, went in and took a look around. If you found my door unlocked and left me a note, I would be grateful. If you went in and took a look around, then did it to all of my neighbors, we would have you arrested.
The bug here is an unlocked door. It being unlocked is a security risk, and people are thankful if you let them know. If after identifying the security risk you proceed to commit a crime, you're surprised people aren't "grateful?"
>difficult to hold yourself accountable
isn't it though...
>are malicious actors
This was going to the doctor's office, and while sitting in the room with your files, seeing a bunch of other patient files just left on the desk in eyesight.
Not in an unlocked filing cabinet, not in an envelope, but in the open.
Changing a URL is not "malicious use" nor is it considered doing something you're not supposed to.
As a web client, I should be able to change or manipulate the URL to my heart's content, it is 100% the server's job to restrict my access and make sure that I cannot access resources I shouldn't.
This is entirely the fault of the operators, not the user, and they were mad at them because they _allowed_ the user to access things they should not.
They weren't just in the open. A copy of these records were pushed, unsolicited, to the user's device and the user simply looked at what was sent to them.
and as soon as you get this data and you read all that information sent to you by mistake instead of seeing it's not yours and stopping, you have committed a crime. what exactly is it that you don't understand here? what the op did is literally against the law.
you should look up how http works. the request to get the data comes from the client browser. it's called a GET. the op requested to GET someone else's records from the server, after knowing the GET request he sent to the server would get him this information.
so again I ask - what is it that you don't GET here? The OP very literally committed a crime. a crime being very easy to commit, does not make it legal.
There's no such crime. If you disagree, by all means cite a statute.
> you should look up how http works.
I'm intimately familiar with http. Upon issuing a request for your records (the request, GET or otherwise), you receive a response, pushed to you, with records you did not request.
I think you may want to re-read my comment, this time more carefully and thoughtfully.
as far as the crime, it's called unauthorized access to a computer system, and many people are in jail for it. whether that system is password protected or not makes absolutely zero legal difference.
As I've mentioned, my metaphor is request, response. This additional data is included, unsolicited, piggybacking on the response. I think this is clear.
Regarding the crime, no, this is completely incorrect. It sounds like you're referencing 18 USC § 1030. This law cannot apply whatsoever to this situation because there is no unauthorized access. The data was pushed, unsolicited, as part of an authorized access. It's being sent to all users when they use the system in a normal authorized fashion.
Viewing the data takes place on the user's own device, because the state itself put the information there. We are all authorized to access our own devices as much as we please.
The suggestion that the CFAA might apply here is nothing short of absurd.
So the data was pushed, very much solicited, as part of a new access. That the user's browser held an authorization (cookie?) for a previous access to the user's own data doesn't quite, AFAICS, mean that this new access to other data was also actually authorized.
the law disagrees
as far as your doctor's office strawman - it's a strawman. To see those files, you don't have to actively do anything, if they are left at the desk. Now, if you pick up one of those closed folders, open it, then start looking through it - you have an equivalent comparison. You also have an arrest record.
But don't argue with me. What he did is literally illegal.
...and then proceeding to rifle through a bunch of those files to satisfy your curiosity.
Finding a vulnerability and reporting it -> Good
Continuing to exploit the vulnerability after you've found it just to satisfy your curiosity -> Bad
I would say it's more like:
You are walking down the street, and notice that there is a public noticeboard. It has a list of names, yours among them, associated with a number of steps each. It instructs you to walk a certain number of steps down the street, and then look up at the paper taped to the sidewalk that many steps down.
So, you do, and upon looking down, you see some personal information about yourself! You are a little perplexed, since this doesn't seem very secure. So you take one step back, and look down. Wow, yep, not very secure, there's information there too!
Being a human, you are naturally a little nosy and curious, and as these are publicly posted, after all, you glance through a couple more before finally regaining control of your better sense of civic duty, and report to the owner of the notice board that there is a problem with their "security".
I think this is a better analogy because:
* browsing to a web page is NOT the same thing as going into someone's house.
* the internet is public.
* there was CLEARLY no malicious intent. The OP clearly didn't harm or intend to harm anyone here, even if perhaps he should have immediately stopped when he began to suspect the website had a flaw and he shouldn't be able to see this information. I see no evidence of malice here.
I do agree that in general, just because a system responds 200 OK, you're not necessarily clear to do anything you want when when you're doing is obviously wrong. But at the same time, we should NOT be prosecuting or blaming people when they're able to access more than they're supposed to be able to PLAINLY due to the software's design insufficiencies and there's otherwise clearly no intent to cause harm.
We really need to take a more even-handed approach to this. And, we REALLY need some kind of a professional bar in software engineering. I would expect a student in their final year of CS to be able to produce a more secure system than what the OP described, so the fact that it exists in a quasi-government website is a complete fucking joke, if you'll pardon my language.
Or perhaps, "Here's a binder with numbered pages; turn to page 345 for your information." You wonder what's on page 346, so you turn the page, and lo and behold, someone else's information.
If once you find the information on page 346, you then keep flipping and looking at people's private information on the next hundred pages like the OP did, you have now committed a crime. The fact that you can easily access something, does not give you the right to access it. If you think otherwise, you think malware that steals your contact and banking info is legal. No, not the one that hacks into your computer. The solitaire game you download and install that has a trojan in it.
After all, you gave the solitaire game access to your hard drive to save and read its own games. Perfectly fine for it to scan the rest of your files. You gave it access to your network card so you can upload your scores. Perfectly fine for it to capture all other network traffic. All trojans are now legal as long as they're packaged with software you voluntarily install.
I agree that morally, the guy should certainly not have continued to look through what he knew was private information he wasn't meant to have access to. I'm not sure the law sees a difference between looking at pages 347-350 and and looking at page 346 however.
Page 346 was an accident - your intent was to read Your data. In viewing Further pages, as the OP stated for the explicit purpose of viewing other people's confidential medical data, the intent is a crime. It's the same thing as walking up to someone's desk in an office you're allowed to be in, and looking through their files.
I don't know what the actual law is, but given the benefits to society of "good people" reporting this kind of issue, I think that toying around with something like that should be considered not a crime at all, rather than being considered a lower-severity crime.
He did not report the issue after finding it. He abused the security hole for his own benefit. He is a criminal.
Low severity? In civil court, they can take every penny he has, every penny he'll ever earn, and his house. In criminal court, he can be charged with unauthorized access to a computer system, one charge each time he did it. And he did it a lot, and they have logs. Which is all literally in his post.
Viewing other people's medical information is not a low severity crime btw.
A url is not a door, but an archway, or possibly a door frame.
And, if I'm in City Hall, the mechanism that keeps me from entering the Mayor's office should be the security guards and key-cards, not my disinclination to open a door.
you mistakenly wandering in is not illegal. however your strawman is not what the OP did. it's a paragraph of text for crying out loud. please at least read the story before commenting.
Then, while you're at the clerk's counter you notice a menu up high above, like at a fast food restaurant, listing random commands with no explanation. Curiously, you call one out to the clerk and see what happens. The clerk returns with a crushed can. You call out another. The clerk dumps a roll of pennies on the counter.
That's not fraud, it's negligent supervision and stupid design.
(Playing devil’s advocate here)
Tell me, what happens if you, heavyset_go, send an invoice to Apple, and the invoice says you're "Cisco" and they pay it. Do you get to keep the money, or does the prison get to keep you?
The OP was already authorized and authenticated on their own company account. They never falsified their authorization or their identity, they just requested documents at a specific URL and the other party had no problem replying with said documents.
It's really a lot more simple:
> After I shopped a few companies to see how our plans compared
This isn't white-hat, it's grey-hat at best. Found the vuln, and then used it.
I don't agree with the dramatic reading that I'm responding to.
You might have missed this part. I did, too, on first reading. They did sift around.
If that company decided to file charges against him, this HN post is an admission of guilt for a crime.
And you have to cause injury for it to be fraud. Is "Help I was too honest to a customer." a valid injury claim?
Is this system more trusting of people than it should be? Probably. Does that mean you're allowed to snoop on other people's documents -- nope.
A printing press also isn’t sentient and can’t guess whether its operators really mean to share every sentence on the plate. But browsers and readers of printed materials (that are left in public places) have no obligations to the publisher’s state of mind. Why should browsers of digital materials?
No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.
Of course it's on the user if they know they're not supposed to have access to some info and they use it to their advantage regardless. If they're a nice person they'll even report the issue (though less likely after news like this).
> just because the vending machine is broken and works without you paying doesn’t make it not stealing
So if it's broken and doesn't work despite me paying, does that make my payment a donation? No.
Though it probably is theft if I knowingly abuse the error for profit.
Like you can say "URLs aren't sensitive by default" up until the guy admits that he knows it's an error and he's accessing the private data he's not supposed to see. That changes the situation completely.
Just like the IRS admin assistant in the example was, the agent to cause the transfer. The filing cabinet/server is not the agent, simply the repository responding to the system and practices in place.
No, it merely assumes the server is acting on authority of the organization identified by the domain name. It doesn't assume agency, only representation.
You can certainly assign various levels of blame and responsibility to the human "server" in those scenarios. But the human on the other side of the interaction, the one requesting information, doesn't magically become free of reproach. If they are requesting information they know they should not have access to, and then making use of that information for their own gain, they're guilty too.
There's a very narrow carve-out for the white-hat: requesting information with the intent of uncovering vulnerabilities, with the intent to help them get fixed. We expect a white-hat actor here to destroy and not make use of any information they obtain that they shouldn't have.
> If I go to the IRS to do some paperwork and notice it says "File #7881991" in the top right corner and I go to the clerk and ask them "Hey, can I have files 7881992 and 7881993, too?" and they give them to me, who is liable for that? It's quite obvious.
Yes, it is obvious: the clerk is liable for giving you something they shouldn't have, and you are liable for fraudulently representing yourself as someone who should have access to those files.
I don't get where this idea of "the other person let me do the crime, so the crime is ok" comes from. That's just not how the law works in the real world. If you then walked out of the IRS office with those files, I would absolutely expect you to get arrested. (Even if you immediately gave the files back, you'd probably be on shaky legal ground.)
It's always okay to ask for things. There would be no way for society to adapt, progress, or change if people were limited to only asking for things that they knew in advance they were allowed to have. If it's legal for a telemarketer, pollster, reporter, cop, or recruiter to contact me and ask me questions then it's just as legal for me to contact and ask a web server a question. The correct response to unauthorized requests is a 4xx, not a lawsuit.
More to the point, what makes it okay to ask a new web server for "/" without permission? Even if browse-through terms of service were legally enforceable they aren't known to the user or the browser before making the first connection and request.
If a web server doesn't want to answer questions then don't connect it to the Internet.
If you know doing x will cause y, then when you do x you are doing y and you are responsible for the consequences of doing y. It doesn't matter what x was.
This is especially true in the real world.
You filled out some form to request a document from the irs. You give the form to the person they give you the document.
You notice they dont check ids, so you change the name on the form, and get someone else's document.
This definitely seems to fit the definition of fraud:
380 (1) Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service [that's the canada definition]
All company data was, in OPs scenario, made public to any and all authenticated users.
There is no way to rationally spin this as a malicious act, in my view.
Downloading a number of them and comparing information, however, is not necessarily malicious but rather sketchy.
The closest real life example I can think of would be along the lines of:
- your car is in a public parking space and someone look inside vs
- the same car is in the garrage and someone breaks the door to look inside your car
You never typed google.com into the browser? I doubt it.
Maybe you just mean "construct" as in edit the url to access another site - well, that's still a perfectly normal use-case. I regularly change reddit urls to old.reddit because it gives me a better user interface. Or access a subreddit by adding an "r/subname". Sure, those aren't alphanumeric IDs, but that distinction is meaningless. Some unique IDs on the web do actually consist exclusively of english words. And some numeric IDs are harmless page numbers or pagination info.
This definition of fraud doesn't define the word "defraud"? I don't know how I'm supposed to see if it fits or not.
It can't mean any action, or going into a store, lying about my name, and asking what aisle has baked beans would fit. Because that has "deceit" and "any service".
If I interpret things as the service being minimal and provided for free, so that I'm not deceptively getting the service, then we have to look at what actually gets sent to me, and whether it's "property, money or valuable security". And since it's just a copy of the data sent at no cost, it's much harder to argue fraud exists.
While you could construct hypotheticals where OP is using the health plan information to gain actual value, they are all so far-fetched I wouldn't buy them as a fictional plotline. Dude was probably just curious.
If you convince them that you really are X and they give you the file, i think that would be considerd fraudulent. Whether or not an injury takes place to raise it to the level of fraud i guess depends on what was in the file, but in countries with strong privacy laws, someone would probably be in a heap of trouble.
To be able to login as BoBibbidyFooBar, and subsequently access ANY company's info in the system without changing their identity from BoBibbidyFooBar does not, in any way, constitute any sort of fraud. It literally cannot, by any sensible definition.
Not at all because what you describe involves impersonating someone else.
In the OP case, they were authenticated in the session as themselves and always acted under the truthful identity and asked for a document and access was granted.
So the analogy would be going up to the desk and saying: I'm John Doe, my id number is X (truthful value), could I see file ABC? And the attendant checks that id==X does have access to document ABC, and thus hands it over.
A better analogy would you asking for your files, and then the secretary taking you to a filing cabinet containing everyone's files right there with yours. You don't have to lie about who you are, you can just look at other files because they're right there in the place that you were just given access to.
Analogies are always going to be imperfect, but I can't see the argument that the "separate request" analogy is any worse than yours, let alone "wrong".
I agree that it's unreasonable to blame users for finding things like that. But if those same users are downloading all the data and making use of it for their own purposes, that's not ok. Finding a vulnerability and reporting it is an admirable thing to do; exploiting that vulnerability yourself is not.
Sure, but how is that relevant? What material false representation was made which was relied on in deciding to provide the data?
If there was no decision, much less one based on materially false information, there can be no charge related to false pretenses. Your argument against decisionmaking is an argument against your claim of false pretenses.
> If a computer system erroneously prints an extra 0 on a check mailed out to you that doesn't mean you get to keep the money because the computer isn't the entity that decides how much money you're owed.
That's neither entirely true nor at all relevant to your false pretenses claim.
I might forget to lock my front door one day, but that doesn't make it ok for you to wander into my house and look at all my stuff.
Requesting access (ie knocking on a door/typing a url) is not illegal. If you grant that request (ie invite me in/serving a webpage), I am under no obligation to psychically infer that you didn't mean to and refuse your invitation.
If I could simply use the excuse "well, the computer gave me the information", then there would be no such thing as hacking. It's always a case of the computer sending the information to you.
Compare to a restaurant: simply walking into a restaurant is not illegal, but an owner can restrict access and ban someone from their restaurant. It takes no technical skill to break into the restaurant, the door is wide open, but without authority it is trespassing. However, it is on the owner of the restaurant to actually ban someone. For a public space, be it a restaurant or a webpage, by default you are permitted access. Attempting to enter a restaurant you've never been to before is not breaking and entering, nor is accessing a URL hacking.
If a website has some user agreement saying you will not access certain portions, or even if there is just a notice on a website saying this site is not public, then they have done all they need to do to revoke someone's authority, even though they would be incredibly easy to "hack." But as laid out under Van Buren v US, you don't lose authority to access things simply because you possess some intent undesirable to the owner. If you invite me into your home and I sleep with your wife, I haven't trespassed; if you tell me to get out and I don't leave then I have.
Further, there's a distinction between accessing something by normal, legal means and accessing something by other methods. For example if you invite me into your home only after I give you a false identity, I'm trespassing because I was never legitimately given authority to enter. Likewise if you hack a system with say a stolen password, you don't have authority to access the system no matter how easy it was. But if you grant authority to someone without them having to do anything nefarious, then they have authority regardless of whether you should have done it or not. If you have something sensitive, don't put it in a place (in the real world or online) where authority to access is granted automatically and without oversight.
Send me a 401 (or a 403) status and I’ll know I’m not authorised.
In the physical world, nobody would lawyer up and go to court if someone walked through an open door with a sign saying “public entry here” and saw something confidential.
If you have confidential information around in the physical world, you make sure you have facilities staff who know the difference between “public entry here” signs and “authorised personnel only” signs. You also have facilities staff who know how to fit door locks and door closers, and security staff who know how to choose appropriate locks and to enforce compliance of locking doors. And if all that breaks down, it’s not Joe Concerned-Citizen who tells you about it, or even Mallory from your competitor who waltzes out with trade secrets who gets held to account, it’s the manager and/or executive in charge of facilities and security who’d be answering the difficult questions, probably with their lawyer at their side.
It sad that the legal system hasn’t yet started to hold people to account for having incompetent web developers and server operators.
So if a piece of paper flies in my face and has company secrets and I manage to look at, I'm at fault here ?
> I might forget to lock my front door one day, but that doesn't make it ok
Sorry but if you're not going to secure your belongings, then expect to be robbed.
Being 'ok' has nothing to do with it.
It’s not even “getting robbed” really. Nobody here deprived the owner of anything. It’s more like:
Sorry but if you're not going to secure your belongings, then expect to have people look at your stuff.
If the security system is broken and you do exactly what it should be preventing, then you report it and get upset because they ask questions about you doing exactly what you did?
We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.
Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.
We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).
OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.
Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.
If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.
Then they shouldn't have let you in. How are you completely absolving them of responsibility when all they had to do was say "Who the hell are you? No, you can't come in."
Do I bear responsibility for letting you in? Yes. Should you be there? No. Should you have knocked on the door? No. Should you have tried the same at my neighbor's house and every house on my block? No. In this metaphor and in the original context, everyone is acting with honest intent except the actor knowingly trying to access obviously confidential documents.
Let's drop the metaphor. The original story was that someone accessed a number of documents they weren't supposed to but technically could, and the question was whether or not that it was reasonable that the owners of the documents were upset with that.
I argue there was good reason to be upset given the facts on the ground. In this particular situation, the original poster was there to access their own document. Having accessed someone else's document, that would be the point at which the behavior crosses from legitimate to illegitimate if it continues. Leaving at that point would be one appropriate response. But systematically going through a number of different documents goes beyond a mistake and into the realm of intentionally exploiting this security issue for unauthorized purposes. That's when it crosses from "honest mistake" to "dishonest exploitation".
I have no idea about the illegality of the issue. But the fact is plain that this person was not the intended recipient of the documents, they knew they weren't the intended recipient, and then after realizing the nature of the exploit, they continued to use it.
This is not the same as knocking on a door for a legitimate reason, being let in, and then the person inside being mad you're there. It's knocking on a door for no reason or a malicious reason, knowingly doing something inside the resident doesn't want you to do, and then wondering why they are mad at you.
The way you phrase this makes it seem like accessing the documents was a mistake. Maybe the first one was, but I think the thing you are missing about the OP's story is that the behavior was repeated. I think the first instance was arguably okay. But subsequent access with the knowledge that what they were accessing was not intended for them is in my eyes beyond a mere misunderstanding.
You also have to remember that having physical or digital access to a thing is not the same as having permission to view the thing. For example, if a "Top Secret" document is delivered to your house with your name and address attached to it, if you read it without the appropriate clearance you will still be in trouble. The legality of such a thing is well established in that case, but the principle is the same: even though you have access to a thing and all you have to do is move your eyes in some direction to see it, the act of seeing it is still at minimum an ethical breach (why are you looking at things that you know don't belong to you?).
I guess this is the fundamental philosophical and ethical question: do you believe you are entitled to know any information as long as you have the technical ability to physically or digitally access that information? What if I have medical records on a screen in a room you are in, and all you have to do is move your eyes over to see my most personal info? Are you entitled to read that information because it's visible to you? Or do you think you owe it to others not breach their privacy even though you have the ability to do so? Would you be mad if someone violated your privacy, and then retorted with "well you should have a had implemented some better technology to prevent me from moving my eyes in that direction"? I guess in that scenario you would have to blame yourself and your technological abilities, and not the person violating your privacy.
The right analogy would be if I was in the apartment complex and I said to a door not mine "I'm home open up!" If the door opened and I did it intentionally, am I liable?
I still feel like yes but since you have to request the document and receive it I think it's different than just checking locks.
Because any physical analogy is such a poor representation of how a website actually works, everyone just cherry-picks the analogy that demonstrates the logic they believe should apply, and then tries to constrain the argument to that logic via analogy.
So the argument is a heist occurring on a train, so we've got the thing that we're trying to heist (which would be our point) and then we're shifting it from one car to another. And some of the analogies here are clearly like passenger coaches, but others are more like those... coal transporting car, whatever they are called... and at some point we move to the inappropriate railroad car and drop the point in the coal which obscures it.
Anyway, the point is that at some point you really just hope that some conventional train robbers will show up and derail the whole thing because it has gotten too convoluted to follow.
1. People who kept their doors unlocked
2. Person who randomly entered doors & found things.
We need to take care of security of our properties, though stealing is wrong.
But I think that a better analogy would be asking the apartment manager to see your payment history and getting handed the entire apartment building's ledger.
First, it's trivial to just use a different IP address. Second, even if you could track people perfectly, which you can't, who the hell thinks it's okay for data to get leaked as long as you know who it gets leaked to?
Yeah once you start using a vulnerability maliciously to obtain confidential data for your own personal gain, even if its a stupid vulnerability, you're not really good-guy security researcher anymore.
If all you did was the bare minimum to demonstrate the vuln exists, that's cool. If after you do that you continue to use it to obtain confidential info for your own gain or curiosity, that's not so cool.
> Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.
You literally just admited to being a malicious actor in the paragraph above.
All i'm saying is if you find an exploit, and after you verify it works, you contunue to use it for your own personal ends, you're no longer benign and you shouldn't expect a warm welcome from the security team.
The line is when you start to use exploits on computers not owned by yourself for your own ends instead of for the purpose of verifying and reporting the vuln. Sure you could cross that line a little bit or a lot, but you're not innocent if you're over it.
I think this is what people may have been missing from your original post: at some point things can go from innocent to malicious.
"Crime of convenience" is the most common type, after all.
"I'm not the type to steal, but the cash was left on the counter, and …"
The appropriate response from the security team (after verification) is to pull the site down or immediately patch the vulnerability, if possible. Making an outbound call to a third-party is pointless and irresponsible.
And the details of different plans is not the kind of confidential info that innately deserves protection. Investigating or recording personal information would be bad, but they didn't do that.
Apply for jobs at the other companies with better plans, proceed with interviews, offers and then finally accept one and quit their job at their current employer... To reap the rewards of their malicious hacking...
What does "keep or memorize" have to do with anything? They intentionally abused a misconfiguration to view private information.
I think it's reasonable to disagree about the ethics of that, but I don't think it's really debatable that it was intentional.
"private" information is too vague of a term.
malice implies intent. If we take author at their word, there wasn't any, though you could say they took it too far by looking at other stuff they probably knew it was ethically wrong to do so.
Though, sometimes it isn't clear you're in compromising territory until you're in it.
If any of the confidential information obtained wrongly gets used to advantage … that's malice.
If the parent set out to exploit the insurer by finding inconsistent/unfair pricing, etc etc … that's malice.
What harm was done by someone comparing prices? What organization lost money? Who got worse health service?
"Unethical" and malicious is the current, profit-driven health insurance system.
I know you're coming at it from an absolutist perspective, but I disagree entirely with passing judgement.
Furthermore, the fact that you seem more upset with the person who glanced at a few plan prices rather than at the healthcare system, or the incompetent website operators, is telling.
It removes the information asymmetry, which protect the profits of the seller.