So, it sounds like, this guy worked for CorpCo, found a security issue with OtherCo's app, and explored their APIs (maybe from CorpCo's network?), including accessing at least one CC number that was not his.
Someone else later discovered the same issue with OtherCo and stole a bunch more card numbers, and used them to commit fraud.
OtherCo looked through their logs, saw the initial exploration coming from this guy at CorpCo, assumed he was also responsible for the subsequent fraud, and contacted CorpCo which ultimately fired him. The fraud was substantial enough for OtherCo to convince authorities to pursue criminal charges.
It's a sad story - but it's not unreasonable behavior from all involved.
You missed the part where he immediately reported the vulnerability to his manager, security team and execs and got the assurance that it was being handled. If after that he is still thrown under the bus and fired, it's clear that someone at his own company dropped the ball and put the blame on him. I wouldn't be surprised if the actual fraud was committed by one of these people as well, using the very hack that he found and disclosed.
> it's not unreasonable behavior from all involved.
Isn't it? I understand OtherCo uses legal means to investigate more effectively, a judge might order ISP logs to be turned over or so, but CorpCo knows this person, knows they disclosed what they saw from the start. It sounds pretty unreasonable to fire someone over hearsay, especially when it's unlikely to be true (what dumbass does card fraud and tells their employer—a bank—and requests they disclose it to OtherCo?).
And even from OtherCo, they're acting like it's the 70s and they've never heard of responsible disclosure. I understand their logic a bit more for the aforementioned reason, but still, reasonable is not the first word that came to mind.
Also could land them substantial prison time under CFAA Re accessing a computer system beyond what was authorized. The above link seems to redirect to a default site now. I’m guessing they yanked the post.
Back before crime it was ok to explore all over town and on private property. When the kidnappings and burglaries started, all that changed. And I’m so very sorry about this because the old days were truly magical.
It's also not completely crazy to wonder if this guy discovered the flaw like this, reported it in a way he knew would never actually get to OtherCo, then exploited it himself through a more anonymous channel for real. Then wrote it up like this and made himself sound super-extra-innocent when he found it.
TBH I definitely wouldn't want my employees going around and hacking competitors in their free time. Too much potential liability. I can see giving a star performer a chance if it's their first time doing it and if they'd already come clean about it to the other party, but otherwise I'd probably cut my losses.
It's one thing if it's a designated, well-vetted free for all, like Project Zero, with clear legal approval. It's another thing for a regular employee to be hacking competitors -- that begins to look like industrial espionage. And even GPZ doesn't hack banks.
If this (not infosec) person was doing this type of security probing during work hours using work equipment, I could see them being fired even if they are hacking on the company’s own product.
You’re not paid as a competitive intelligence analyst and security researcher, regardless of your “personal interests,” you’re paid to work on a product to make the company more money.
Furthermore, if you start unpacking the mobile app of a bank and doing actual pen testing analysis in the wild hitting their prod servers, even accidentally, you seriously need to understand the situation you are putting yourself in, regardless of where you work.
Eh, I agree it was kind of a dumb move, but there's no reason he shouldn't be able to have a snoop around. This wasn't "hacking" in the exploit sense. Web scraping, poking and prodding at APIs (yes even "private" ones), indexing a user ID, looking at source code, injecting your own code (e.g. modifying client js), redirecting some requests, none of these are hacking or exploitation, they are literally how the technologies of TCP/IP, HTTP, the web, and web browsers are meant to work.
I'm not sure where the line of "trying to break security" it, but none of the above count. Even accidentally blasting some endpoint with automated garbage. Intent matters.
No. A million times no. You do not use double standards. It kills morale, because it's immoral. Anyway, a top performer, should know when to walk away and contact security and legal.
If I found this. I would immediately have contacted my manager, and our security team, and see if our security would advise legal. Then we'd immediately contact OtherCo's security team.
If you find a security flaw, you have to immediately report. You DO NOT "explore" someone else's machine. It goes sideways too easily, and people always want to get the cops involved. Your number one duty is to protect yourself.
If I went to my manager telling them I was hacking a competitor's infrastructure and accessing competitor PII & proprietary IP, I'd fully expect to be fired on the spot. And they're the most laissez faire manager I know.
You're probably correct from a liability perspective, but from a hiring perspective in that space, you probably want the kind of personality that is driven to do such things working for you.
Lots of people suggesting that either company was out of line here, but like, CFAA is still a thing (assuming OP is in the USA) and it's still got gnarly teeth. Let alone the possibility of industrial espionage allegations...
If you're going to go hack on a company, make sure you have some legal protection first. Check disclose.io or the company's website (look for a security.txt!) to make sure there's some sort of safe harbor provision, or a pre-existing vulnerability disclosure program or bug bounty program that allows you to do this kind of testing.
If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.
Meanwhile if you're an American please write your local representative and express your displeasure with the antiquated, overly-simplistic CFAA and ask them to support initiatives to have it replaced or removed.
Many moons ago we were scanning ourselves to test changes to our infrastructure, and when testing externally scanned /24 instead of the /29 range we had. We found two wide open SQL servers, listening in public addresses with blank sa passwords (the default on install at the time, oh those innocent days...). Out of curiosity we had a quick look and found one if them contained credit card details. We backed out very quickly... Not wanting to leave such a hole open but also not wanting to risk accusations of hacking we worked out who the companies were by other clues and forged emails warning then about the issue (sending them via a wide open SMTP server, again innocent times!). We never checked to see if anything changed.
Shooting the messenger, seems to be a common practice when it comes to security issues. We only hear about those situations where someone has gotten nailed because they reported an issue but the fact that it happens at all is a problem.
I think part of the problem is that fixing a security issue is expensive and usually involves company management that has very little experience with code development so they think the person that reported the issue is a black hat hacker. It also makes life difficult for everyone involved.
A solution is to have a neutral in-between organization that can better understand how to deal with the problem without having to blame the person that reported it.
I have no idea why you'd expect to have the right to probe around APIs like this and not be accused of malicious hacking.
You don't have authorization, you're working for a competitor, that business decided to throw you to the wolves because its easy for everyone involved to forget you ever said anything since you didn't leave any paper trail.
If I find you sneaking around in my backyard having managed to open a ground floor window I'm going to probably lose my shit and call the cops, and not thank you for discovering a security flaw.
You need to get permission for this kind of shit, and not go around jiggling other people's locks.
And the level of effort here seems fairly high and a lot more than just "view source".
The author probably deserves to lose the ability to be employed at a bank because this was some pretty bad judgment.
Lol the audacity to say any of this. The only mistake this dude was trying to be nice to either of the two shit companies he worked for. A fintech created a shitty shitty app and released it to the public and you accuse this guy of “jiggling” the lock ? He should have totally released this info on 4chan and let the wolves do their job.
Why would you bring this to your manager instead of trying to find a way to report it directly to the competitor, anonymously or not? If a bug bounty seems like a conflict of interest, refuse it. From the perspective of the competitor, this was an unreported security vulnerability. Of course they were going to find out; if I logged in one morning and the DB table that's supposed to be nearly empty suddenly wasn't nearly empty anymore, that's alarming!
So much here is just an absolute wild failure of judgement.
Seeing that we as a society haven't fixed this problem yet tells me that we deserve the countless security breaches we get. I will continue to let any vulnerability I discover go unreported until the government grants immunity to those who report them.
I want to help others, but not at the risk of destroying my life.
Please report them; they're helpful. But there's a huge difference between finding a vulnerability, stopping, and reporting it, and finding one and continuing to dig.
If you report it immediately, often you'll even get asked to dig further; but doing it on your own without authorization is the problem.
> But I mostly kept this story to myself and felt it was time to share, even if anonymously.
I’m sure your lawyer would beg to differ that it is “time to share” if you still have a criminal and/or civil case pending.
I’m not sure why you’re publicizing what you have been accused of and providing the level of detail you have provided.
And is a Wordpress-hosted blog truly anonymous?
Anyway, I guess you are here for questions, so here is one: Do you feel like you made an ethical mistake attempting to find security holes in the competitor, or do you think your former employer overreacted and was wrong to fire you?
Unsure why this is being shared with potential criminal and civil charges being involved.
Also, if true, you likely have enough evidence for a stellar lawsuit against the company once all is said and done. You may also have enough evidence for a second lawsuit against your employer depending on exact circumstances. Hopefully your lawyer is knowledgeable enough to navigate these issues.
In the future, don't involve your employer with security disclosures. Ensure you document everything and email or write the company in question to give them time to fix their issues. What they did is wrong, however you should have reported it to them in a reasonable amount of time. Not that you are required to, but rather, to cover your own butt and prevent this exact type of scenario.
I think it's great that you shared your story with the world. We can learn something from this. I guess it is that security researchers can easily be accused of all sorts of things.
It is true that exposing a vulnerability in somebody's product can make them mad, since it can harm them. Especially with banks, they are not the most ethical entities out there. Good luck. I wonder if more people would like to offer their advise on what you should have done instead.
It's been my experience as well that exposing vulnerabilities, especially financial makes enemies, not friends.
So basically we learn do the minimum possible, to not do the right thing so as not to get fired, and ignore gaping holes leaving them for someone else to risk their neck on, all so we can pay bills for 50 years and then hopefully retire.
On one hand we have this poor guy, and on the other hand we have Aubrey Cottle, the guy who leaked personal details of about 100,000 individuals and openly bragged about it on TikTok. [1]
This guy has a history of claiming to have performed every hack under the sun for the last fifteen years. He's probably not being prosecuted because this info is very public, he's a well documented bullshitter.
I saw it happen personally with a bunch of GNAA related hacks. He had befriended the people who actually did them, and within a year or two of finding out more details, was using them to claim he had either masterminded and planned them all or performed them all, alternating between the two based on whatever was 'cooler' in the situation.
Banks, credit card issuers, and many brokerages suck from a tech stack perspective.
During the y2k times I did a lot of contract work porting old COBOL code to be y2k compliant. The number of seriously spooky security things was mind boggling.
Having mocked API's like you found is not a surprise. The fact they even bothered to use API's was a step in the positive direction versus telnet and ssh tunnels to pipe data around with hard-coded ip's and accounts.
It sucks but I can totally see the employers and competitors viewpoints. OP not only cracked open the app but made requests to their server. OP is not involved with the infosec at their employer and has no business cracking open their competitors app. The blowback from this could have been huge for the employer.
OP - the people involved only want to cover their arses, and they're all using you to do it. This is unjust, but unfortunately it's also normal. Time to stop talking and focus 100% on avoiding conviction by working carefully with your lawyer.
Wow, the author is very naive. Did you really think anything good would come out of you telling this to your employer? Your do not owe them anything you do in your spare time, unless there's some contractual obligation. Companies are just looking after themselves, and will quickly throw you under the bus. I am very paranoid with that.
I used to explore APIs and do this sort of digging for fun, even though I was employed. My approach was the following. If the company had a decent bug bounty program, I'd be happy to report it there, it's the safest way for anyone to do that. If there was not, I'd try to sell it to an "alternate buyer", which is less preferred. I never many things worthwhile reporting though.
If you are not making money from security you shouldn’t mess around with it at all. Too much downside and too little upside. Let the criminals ransomware the hospitals until society grows up and learns that they need security research.
[+] [-] avalys|4 years ago|reply
Someone else later discovered the same issue with OtherCo and stole a bunch more card numbers, and used them to commit fraud.
OtherCo looked through their logs, saw the initial exploration coming from this guy at CorpCo, assumed he was also responsible for the subsequent fraud, and contacted CorpCo which ultimately fired him. The fraud was substantial enough for OtherCo to convince authorities to pursue criminal charges.
It's a sad story - but it's not unreasonable behavior from all involved.
[+] [-] paxys|4 years ago|reply
[+] [-] Aachen|4 years ago|reply
Isn't it? I understand OtherCo uses legal means to investigate more effectively, a judge might order ISP logs to be turned over or so, but CorpCo knows this person, knows they disclosed what they saw from the start. It sounds pretty unreasonable to fire someone over hearsay, especially when it's unlikely to be true (what dumbass does card fraud and tells their employer—a bank—and requests they disclose it to OtherCo?).
And even from OtherCo, they're acting like it's the 70s and they've never heard of responsible disclosure. I understand their logic a bit more for the aforementioned reason, but still, reasonable is not the first word that came to mind.
[+] [-] mmaunder|4 years ago|reply
Back before crime it was ok to explore all over town and on private property. When the kidnappings and burglaries started, all that changed. And I’m so very sorry about this because the old days were truly magical.
[+] [-] ufmace|4 years ago|reply
[+] [-] gameswithgo|4 years ago|reply
[deleted]
[+] [-] 650REDHAIR|4 years ago|reply
Get protected status as a whistleblower.
[+] [-] asdfasgasdgasdg|4 years ago|reply
It's one thing if it's a designated, well-vetted free for all, like Project Zero, with clear legal approval. It's another thing for a regular employee to be hacking competitors -- that begins to look like industrial espionage. And even GPZ doesn't hack banks.
[+] [-] Benjammer|4 years ago|reply
You’re not paid as a competitive intelligence analyst and security researcher, regardless of your “personal interests,” you’re paid to work on a product to make the company more money.
Furthermore, if you start unpacking the mobile app of a bank and doing actual pen testing analysis in the wild hitting their prod servers, even accidentally, you seriously need to understand the situation you are putting yourself in, regardless of where you work.
[+] [-] kortex|4 years ago|reply
I'm not sure where the line of "trying to break security" it, but none of the above count. Even accidentally blasting some endpoint with automated garbage. Intent matters.
[+] [-] jonathankoren|4 years ago|reply
No. A million times no. You do not use double standards. It kills morale, because it's immoral. Anyway, a top performer, should know when to walk away and contact security and legal.
If I found this. I would immediately have contacted my manager, and our security team, and see if our security would advise legal. Then we'd immediately contact OtherCo's security team.
If you find a security flaw, you have to immediately report. You DO NOT "explore" someone else's machine. It goes sideways too easily, and people always want to get the cops involved. Your number one duty is to protect yourself.
[+] [-] meetups323|4 years ago|reply
[+] [-] ummonk|4 years ago|reply
[+] [-] unethical_ban|4 years ago|reply
[+] [-] precommunicator|4 years ago|reply
[+] [-] guelo|4 years ago|reply
[+] [-] roastedpeacock|4 years ago|reply
Maybe doing approved bug-bounty research in a competitors webapp is a safer proposition.
[+] [-] Aachen|4 years ago|reply
Where do you work? Just so I know where not to apply.
[+] [-] arcwhite|4 years ago|reply
If you're going to go hack on a company, make sure you have some legal protection first. Check disclose.io or the company's website (look for a security.txt!) to make sure there's some sort of safe harbor provision, or a pre-existing vulnerability disclosure program or bug bounty program that allows you to do this kind of testing.
If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.
Meanwhile if you're an American please write your local representative and express your displeasure with the antiquated, overly-simplistic CFAA and ask them to support initiatives to have it replaced or removed.
[+] [-] dspillett|4 years ago|reply
[+] [-] WheelsAtLarge|4 years ago|reply
I think part of the problem is that fixing a security issue is expensive and usually involves company management that has very little experience with code development so they think the person that reported the issue is a black hat hacker. It also makes life difficult for everyone involved.
A solution is to have a neutral in-between organization that can better understand how to deal with the problem without having to blame the person that reported it.
[+] [-] lamontcg|4 years ago|reply
You don't have authorization, you're working for a competitor, that business decided to throw you to the wolves because its easy for everyone involved to forget you ever said anything since you didn't leave any paper trail.
If I find you sneaking around in my backyard having managed to open a ground floor window I'm going to probably lose my shit and call the cops, and not thank you for discovering a security flaw.
You need to get permission for this kind of shit, and not go around jiggling other people's locks.
And the level of effort here seems fairly high and a lot more than just "view source".
The author probably deserves to lose the ability to be employed at a bank because this was some pretty bad judgment.
[+] [-] ramraj07|4 years ago|reply
[+] [-] bastawhiz|4 years ago|reply
So much here is just an absolute wild failure of judgement.
[+] [-] hda2|4 years ago|reply
I want to help others, but not at the risk of destroying my life.
[+] [-] borski|4 years ago|reply
If you report it immediately, often you'll even get asked to dig further; but doing it on your own without authorization is the problem.
[+] [-] bsuvc|4 years ago|reply
> But I mostly kept this story to myself and felt it was time to share, even if anonymously.
I’m sure your lawyer would beg to differ that it is “time to share” if you still have a criminal and/or civil case pending.
I’m not sure why you’re publicizing what you have been accused of and providing the level of detail you have provided.
And is a Wordpress-hosted blog truly anonymous?
Anyway, I guess you are here for questions, so here is one: Do you feel like you made an ethical mistake attempting to find security holes in the competitor, or do you think your former employer overreacted and was wrong to fire you?
[+] [-] eek2121|4 years ago|reply
Also, if true, you likely have enough evidence for a stellar lawsuit against the company once all is said and done. You may also have enough evidence for a second lawsuit against your employer depending on exact circumstances. Hopefully your lawyer is knowledgeable enough to navigate these issues.
In the future, don't involve your employer with security disclosures. Ensure you document everything and email or write the company in question to give them time to fix their issues. What they did is wrong, however you should have reported it to them in a reasonable amount of time. Not that you are required to, but rather, to cover your own butt and prevent this exact type of scenario.
[+] [-] wyldfire|4 years ago|reply
To what end? If your adversary has attorneys on staff it will be a bigger gamble for you to bring a suit against them.
[+] [-] dredmorbius|4 years ago|reply
Archives of the first, at least, still exist.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] YPPH|4 years ago|reply
"AccidHacker" "Coming Soon"
Is this happening for anyone else? Perhaps it has been deleted?
[+] [-] jhgb|4 years ago|reply
[+] [-] mark-r|4 years ago|reply
[+] [-] berkut|4 years ago|reply
[+] [-] galaxyLogic|4 years ago|reply
It is true that exposing a vulnerability in somebody's product can make them mad, since it can harm them. Especially with banks, they are not the most ethical entities out there. Good luck. I wonder if more people would like to offer their advise on what you should have done instead.
[+] [-] plebianRube|4 years ago|reply
So basically we learn do the minimum possible, to not do the right thing so as not to get fired, and ignore gaping holes leaving them for someone else to risk their neck on, all so we can pay bills for 50 years and then hopefully retire.
What a life.
[+] [-] blaisio|4 years ago|reply
[+] [-] throwaway889900|4 years ago|reply
[+] [-] fsckboy|4 years ago|reply
[+] [-] cato_the_elder|4 years ago|reply
Anarcho-tyranny is truly the mot juste.
[1]: https://thegrayzone.com/2022/02/18/hacking-canadian-trucker-...
[+] [-] DoItToMe81|4 years ago|reply
I saw it happen personally with a bunch of GNAA related hacks. He had befriended the people who actually did them, and within a year or two of finding out more details, was using them to claim he had either masterminded and planned them all or performed them all, alternating between the two based on whatever was 'cooler' in the situation.
[+] [-] sanguy|4 years ago|reply
During the y2k times I did a lot of contract work porting old COBOL code to be y2k compliant. The number of seriously spooky security things was mind boggling.
Having mocked API's like you found is not a surprise. The fact they even bothered to use API's was a step in the positive direction versus telnet and ssh tunnels to pipe data around with hard-coded ip's and accounts.
[+] [-] hk1337|4 years ago|reply
[+] [-] rukuu001|4 years ago|reply
[+] [-] AlexCoventry|4 years ago|reply
[+] [-] 650REDHAIR|4 years ago|reply
I’ve seen so many blatant violations in my short stint it would make your head spin.
Happy to never go back…
[+] [-] sonicggg|4 years ago|reply
I used to explore APIs and do this sort of digging for fun, even though I was employed. My approach was the following. If the company had a decent bug bounty program, I'd be happy to report it there, it's the safest way for anyone to do that. If there was not, I'd try to sell it to an "alternate buyer", which is less preferred. I never many things worthwhile reporting though.
[+] [-] spoonjim|4 years ago|reply