←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.52s | source
Show context
tuwtuwtuwtuw ◴[12 May 25 17:05 UTC] No.43965199[source]
I m not sure I understand properly. Did he try to hack a random service he encountered? Is that even legal? Where I live (Sweden) it's definitely not legal.
replies(4): >>43965259 #>>43965316 #>>43965357 #>>43965809 #
secalex ◴[12 May 25 17:58 UTC] No.43965809[source]
IANAL and this is not legal advice, but you probably fine reverse engineering a mobile app and intercepting your own network traffic. He was doing ok until he started enumerating IDs in their database, at which point he started venturing into the territory that got weev 3.5 yrs.

https://www.wired.com/2013/03/att-hacker-gets-3-years/

I am not endorsing this interpretation of the CFAA, but this kid needs a lawyer.

replies(1): >>43966090 #
tptacek ◴[12 May 25 18:26 UTC] No.43966090[source]
I mean, he ventured in that direction, but until he discloses PII and leaks evidence of his intent that's the extent of the similarity: directional. People on message boards drastically underrate the importance of intent evidence in criminal cases; they all want there to be some hard-and-fast rule like "if you can see it in the URL, and you don't use a single-quote character to break SQL with it, it's fair game", which is not at all how it works.
replies(1): >>43966416 #
1. tuwtuwtuwtuw ◴[12 May 25 19:00 UTC] No.43966416[source]
His blog post seem to make it clear that his intent was to gain access to data in a computer system he did not have permission to access. Why would "disclose PII" be relevant?
replies(1): >>43966439 #
2. tptacek ◴[12 May 25 19:02 UTC] No.43966439[source]
CFAA cases turn on the "why" as much as the "how", and "because I wanted to find and disclose security vulnerabilities for the good of the public" is a disfavored "why". Read the sentencing filings in the case you're talking about to see more about the implication of disclosure.