Consequences of grey hat hacking

Question

While I was working on a anomaly detection system (finding cheaters in a quite popular online game service) I accidentally found a way to get a password of a user in a reasonable amount of time. Basically, the whole idea to build an anomaly detection system was to apply for a job for that webservice and to provide my preliminary solution.

After finding this vulnerability I am thinking to apply there not only with a CV, but also with the detection system and explaining vulnerability as well. But here is a thing: I remember reading about a guy who found a problem in Yahoo! reported it and got rewarded, tried this with Facebook and got jailed.

Because I think that jail is not the best place for me, I would like to ask what are the chances of being charged with a crime?

To keep in mind

I am not working for that company
my main objective is to finish my cheat prediction classifier
the only passwords I tried to break were the passwords of my own dummy accounts
I want to work for that company

P.S: I think that I did not make myself clear. I am working on a classifier to give a prediction, whether the person is cheating in the game or not and because this is a big problem for that service - I am planning to apply for a job, having this classifier as an additional plus for my CV. I accidentally found a vulnerability and thinking whether I should report it or no, and if yes, what problems can I face. It is going to be something like this, "here is the problem and here is what I think you should have done. If you want, I would like to work for you, but not as a security specialist (I do not have knowledge for this), but as a data-miner". Whether they will take me or not, I basically do not care.

It has nothing to do with the scenario: "I want to work for you and I know how to get a password of a user, so think twice before rejecting me."

This is NOT 'Ethical Hacking' - this is what is known as 'Grey Hat Hacking'. — schroeder, Nov 13 '12 at 19:30
I am not familiar with a term, but according to Wikipedia "white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to "advise the hacker community as well as the vendors and then watch the fallout". I have not tried to advice anyone and basically I am going to tell company regarding this issue — Salvador Dali, Nov 13 '12 at 19:39
And neither colour hat is 'Ethical Hacking'. Ethical Hacking requires that the owners know about the hacking attempts before you start. That's the 'Ethical' part. — schroeder, Nov 13 '12 at 19:41
Please note that, given the TOS of most websites (and some government laws), hacking even your _own_ account is (potentially) illegal, even if it results in no gain (material or otherwise) for you. And they only have _your_ word that you only hacked your dummy accounts, too... — Clockwork-Muse, Nov 13 '12 at 22:54
But they can check my word. If they can not - who can prove that I was not just boasting around without doing anything. But thanks for answer. — Salvador Dali, Nov 13 '12 at 23:01
Randal L Schwartz, a notable author on Perl, faced legal troubles from cracking a password file at a work site. Schwartz wanted to inform coworkers of weak passwords. An embarassed VP, whose password might have been cracked, claimed the testing was unauthorized. That's how I remember hearing it. See http://en.wikipedia.org/wiki/Randal_L._Schwartz — Paul, Nov 14 '12 at 01:07
I don't think this question has as much to do with IT security as it does with legal and workplace issues. — MCW, Nov 14 '12 at 12:03
I am asking for opinion from IT security professionals. How exactly they think I need to behave in such a case and what implications can it have. A lot of material was new and very interesting. And I am pretty sure it will be important to know for other people — Salvador Dali, Nov 14 '12 at 12:29
@SalvadorDali - Sure they can check, they can also based on how much harm, claim they were unable to prove your claims. It sounds like what you discoveres should simply reported, the ethical thing to do, would not to expect compensation for reporting the problem. They are not your client, they have not request you discover this problem, expecting compensation for reporting it borderline blackmail. — Ramhound, Nov 15 '12 at 13:34
Depends on your locality. In states that have approved DMCA, *any* security testing is illegal. You've just testified that you're guilty of a crime. — MCW, Nov 14 '12 at 19:45

score 23 · Answer 1 · edited Nov 13 '12 at 21:02

There really isn't enough information here to make a determination about your question. Jurisdiction and exactly what went on with how you found a flaw in the security and how you tested it and what their terms of service (which define how you are allowed to use their computers and data) all matter. In general, "hacking" isn't what is legal or illegal, what is illegal is using other people's hardware or IP in a way which you are not licensed to do so.

If you were running an exploit against their hardware, then that was an intrusion, regardless of intent and they could go after you for it if they really wanted to. If you took data that they licensed only for a particular purpose and abused the data in a way you were not entitled, it may also be possible for them to go after you based on jurisdiction. If they provided data in the clear, without a license associated and you found a way to use that data to abuse their system on your own hardware, then you are probably safe since you did not use their hardware or licensed data to make your determination. But again, this can vary widely based on jurisdiction, so knowing your local laws is the best policy and IANAL.

As for practical advice about how to approach it. I would suggest that you not approach it as a proven vulnerability. Certainly providing your anti-cheat system sounds like a plus. You could also simply mention that you thought you saw something that might be exploitable when you were working on it and ask for their permission to either test it or let them test it. You might be best off to not mention the vulnerability at all though until after you get a job with them or get declined on the strength of your anti-cheat system alone. It is really hard to predict how people will react when a flaw is exposed by an outside party, even when reported responsibly. Many of the possible reactions wouldn't work in your favor, whether denial, anger or suspicion.

Thank you very much for such a comprehensive answer. Your approach is really nice — Salvador Dali, Nov 13 '12 at 21:39
+1 only for the practical advice to apply based on the strength of the cheating prediction service alone. — Joshua Drake, Nov 14 '12 at 14:52

schroeder · Accepted Answer · 2022-09-17T12:40:54.117

17

This answer addressed the idea of applying for a job based on the discovery of a vulnerability.

The chances are high that you would not get the job if you applied on the strength of the fact that you successfully hacked their user security. Trust me, if someone walked into an interview with me saying, "Oh, by the way, I found a hole in your systems, hacked it, and here is my fix," that person would be escorted out of the building and I would call the police.

Fully disclose the vulnerability to them and them alone, and work with them to close the problem. THEN open the discussion of being hired for more security work. Once you try to combine getting a job with disclosing a vulnerability, it could be interpreted as an extortion attempt.

As for the chances of legal action, it depends on your location, their location, the location of the webserver you tested, the severity of the breach, and (to some degree) the attitudes and policies of the affected organizations.

--

edited Sep 17 '22 at 12:40

answered Nov 13 '12 at 20:00

schroeder

123,438
55
284
319

5

Re: "that person would be escorted out of the building and I would call the police": Why's that? – ruakh Nov 13 '12 at 21:34
1

@ruakh- because in many jurisdictions they could be breaking the law. – Rory Alsop Nov 13 '12 at 22:08
1

@ruakh - Because he hacked my service, found a vulerability, and will only fully disclose on certain conditions. The only ethical course of action is to fully disclose the problem to the company. Even waiting to be an employee would not be ethical. – Ramhound Nov 15 '12 at 13:38
2

@Ramhound: What do you mean, "will only fully disclose on certain conditions"? The answer explicitly included "'and here is my fix'". – ruakh Nov 15 '12 at 13:57
1

I don't know why there is a question here. The issue is with "and I hacked it". Finding a vulnerability is one thing. Crossing the line to exploit the vulnerability without consent shows lack of judgement, dangerous activity, lack of awareness of the law, and in my jurisdiction, breaking the law. Coupled with announcing it in a job interview where it could be interpreted as an extortion attempt means this person will never get a job with me, should be removed from the building, and the police called for the illegal acts. Period. – schroeder Nov 15 '12 at 16:13

score 5 · Answer 3 · edited Oct 07 '16 at 20:40

5

It is never acceptable to look for vulnerabilities in websites or services without permission. This is against the law, and rightfully so.

It is completely legal to look for vulnerabilities in your own system, and software that you are running. You could easily find an 0-day that affects many other people, and its legal to whatever you would like with this information (you're free to pass on the vulnerabilities details as you like, but to actually use it to exploit a system without authorization is another story). Making it public and obtaining a CVE number or selling it to the highest bidder.

Very few companies have a bug bounty program. Facebook and Google do, and they can pay quite well for a high impact vulnerability.

edited Oct 07 '16 at 20:40

eightShirt

303
1
3
12

answered Nov 13 '12 at 19:16

rook

46,916
10
92
181

Thanks for information. But in my opinion there is a contradiction in your answer: "never acceptable to look for vulnerabilities in websites or services without permission" and "completely legal to look for vulnerabilities in your own system, and software that you are running". I am running their software (playing on their website) and my credentials can be stolen if somebody will figure out the way. To clarify, I am not asking for bounty. – Salvador Dali Nov 13 '12 at 19:27
3

There is no contradiction in @Rook 's answer. You are running the software on THEIR server, which means you are hacking THEIR systems. The potential impacts on you do not give you license to circumvent their security, even if the goal is to tell them about it later. – schroeder Nov 13 '12 at 19:39
Nice to know about it. I am not trying to justify anything, but it sounds strange for me: it is like I have rent a car, opened a hood and found that there is an easy way to break it. But this is a misconduct, because I am not a creator of a car and have no right to see how it is working. Also it looks that researchers who found WEP vulnerability are also done the wrong thing, because they had no previous agreement with whoever created it. – Salvador Dali Nov 13 '12 at 20:03
@Salvador Dali no its you car you can do whatever you want with it. I can write an 0-day for IE and sell it, that is completely legal. The problem is going to someone else's car and poking around. – rook Nov 13 '12 at 20:05
@SalvadorDali Technically, the problem isn't a lack of agreement with the software (or vehicle) creators. It's a lack of agreement with the owners of the system on which the software is running. In your case, you lack an agreement with the owners of the game servers you have used this vulnerability against. In the case of the rental car, you lack permission from the rental company to break their vehicle. – Iszi Nov 13 '12 at 20:06
3

`It is never acceptable to look for vulnerabilities in websites or services without permission.` That depends. There is a huge difference between observation and manipulation. – Cypher Nov 13 '12 at 22:55

score 4 · Answer 4 · answered Nov 14 '12 at 02:31

Whether use of a website is legal or not is completely independent of whether or not you're looking for a vulnerability or even if you find one. What matters is whether or not you are using the website in a manner consistent with their terms. It does not matter why you're doing it.

For example, attempting to log in using someone else's password is probably not allowed and therefore illegal. However, reading through a page's Javascript looking for mistakes probably is perfectly legal. But then if you find something, if you attempt to test the vulnerability you found... well, probably back to illegal again.

Whether or not they press charges against you is their decision, but by breaking the law you've put yourself into a poor position to negotiate.

Now, if you have the site owner's explicit permission to look for vulnerabilities, well then you're back on the legal side again. Just be sure to get it in writing, as several notable figures have discovered.

thanks. So basically you are saying that I have to do something like this: 'hi, I was trying to build classifier and I think that you have a vulnerability in your service. Can I investigate more?' — Salvador Dali, Nov 14 '12 at 02:36
@SalvadorDali - The more ethical statement would be "hi, I was trying to build classifier and I think that you have a vulnerability in your service.....Here is everything I know about th vulnerability...." leave out the fact you tested it against your own accounts ( unless they ask ). — Ramhound, Nov 15 '12 at 13:42

Consequences of grey hat hacking

4 Answers4

Linked