←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 10 comments | 12 May 25 16:39 UTC | HN request time: 1.188s | source | bottom
1. tuwtuwtuwtuw ◴[12 May 25 17:05 UTC] No.43965199[source]
I m not sure I understand properly. Did he try to hack a random service he encountered? Is that even legal? Where I live (Sweden) it's definitely not legal.
replies(4): >>43965259 #>>43965316 #>>43965357 #>>43965809 #
2. bink ◴[12 May 25 17:10 UTC] No.43965259[source]
It's become a bit of a grey area thanks to most large companies having bug bounty programs now. I think some researchers just assume that all companies are OK with testing against their production services. IMHO it's almost certainly illegal, but simply won't be enforced unless the hacker/researcher does something malicious.
3. janalsncm ◴[12 May 25 17:15 UTC] No.43965316[source]
If only all hackers lived in jurisdictions which enforce anti-hacking laws. If I am making an app, I’m not going to rely on the police to enforce cybersecurity.
4. charcircuit ◴[12 May 25 17:18 UTC] No.43965357[source]
It's not legal in America either. And he is posting with what may be his real name which adds extra risk.
replies(1): >>43965444 #
5. bee_rider ◴[12 May 25 17:29 UTC] No.43965444[source]
I’m not in security (thank goodness, it sounds like a legal minefield). It sounds like this system was so wildly insecure that… I actually kinda wonder what laws specifically he broke.

If you just text out passwords to anybody who asks, are they really doing unauthorized access? Lol.

I’m sure it was illegal somehow, though.

replies(1): >>43966176 #
6. secalex ◴[12 May 25 17:58 UTC] No.43965809[source]
IANAL and this is not legal advice, but you probably fine reverse engineering a mobile app and intercepting your own network traffic. He was doing ok until he started enumerating IDs in their database, at which point he started venturing into the territory that got weev 3.5 yrs.

https://www.wired.com/2013/03/att-hacker-gets-3-years/

I am not endorsing this interpretation of the CFAA, but this kid needs a lawyer.

replies(1): >>43966090 #
7. tptacek ◴[12 May 25 18:26 UTC] No.43966090[source]
I mean, he ventured in that direction, but until he discloses PII and leaks evidence of his intent that's the extent of the similarity: directional. People on message boards drastically underrate the importance of intent evidence in criminal cases; they all want there to be some hard-and-fast rule like "if you can see it in the URL, and you don't use a single-quote character to break SQL with it, it's fair game", which is not at all how it works.
replies(1): >>43966416 #
8. carefulfungi ◴[12 May 25 18:36 UTC] No.43966176{3}[source]
It is very likely illegal but also discouraged to be prosecuted. From the federal government's guidelines on prosecuting unauthorized computer access (https://www.justice.gov/jm/jm-9-48000-computer-fraud):

> "The attorney for the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research."

9. tuwtuwtuwtuw ◴[12 May 25 19:00 UTC] No.43966416{3}[source]
His blog post seem to make it clear that his intent was to gain access to data in a computer system he did not have permission to access. Why would "disclose PII" be relevant?
replies(1): >>43966439 #
10. tptacek ◴[12 May 25 19:02 UTC] No.43966439{4}[source]
CFAA cases turn on the "why" as much as the "how", and "because I wanted to find and disclose security vulnerabilities for the good of the public" is a disfavored "why". Read the sentencing filings in the case you're talking about to see more about the implication of disclosure.