> The company said it didn't yet know if many people beyond a Wall Street Journal reporter saw the nonpublic information, but believes the exposure was limited.
>>Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).
The company said it didn't yet know if many people beyond a Wall Street Journal reporter saw the nonpublic information, but believes the exposure was limited.
Kickstarter said it patched the security hole on Friday afternoon, after The Wall Street Journal began analyzing the exposed data.
Does that sound to anyone else like the WSJ just openly admitted to deliberately hacking Kickstarter?
This is something that based on a few precedents, probably wouldn't be considered hacking. This includes the Democrat operative who uncovered a meant-to-be-private audio recording belonging to Gov. Arnold Schwarzenegger by going to the governor's public file server and moving up the directory tree:
I am not sure why you think incrementing IDs "isn't considered hacking". Obviously, there's no concept of "hacking" under the law, but to qualify as unauthorized access to a computer system, the only thing a prosecutor will need to prove is that a reasonable person would have known that manipulating raw URLs (or POST parameters or whatnot) to view other documents contravened the intended use of the system.
There is absolutely no provision whatsoever under the law that scales the severity of unauthorized access with the difficulty of the technical countermeasure you circumvent. Unauthorized access is unauthorized access. There could be no security countermeasure in place whatsoever and you could still run afoul of this.
I really doubt modifying a GET URL would be considered criminal in any court. It's far too easily accessible to everyone. It's two physical actions, a click and a keypress.
I'm pretty sure you're wrong. Ease has absolutely nothing to do with the statute. If a reasonable person could be expected to know that the pages they were accessing were unauthorized (or more precisely if a prosecutor or plaintiff's counsel could make a convincing argument), that's the ball game.
This is a very common misconception among tech people about how the CFAA works.
I think they could make a reasonable argument that they didn't know they would just be given the documents upon request if they weren't authorized. If I ask you for a hundred dollars and you give it to me with no force or trickery, that is not theft, because your giving it to me implies consent.
That's where I see ease of access coming into it: If you really don't take any effort to keep me out of something (even as little as telling me "stay out"), how do I distinguish that unauthorized content from content I'm authorized to access — and not only that, but make the distinction before I access it?
Do I think you'd be convicted for manipulating URLs idly to prove a point? No.
Do I think you'd be convicted for manipulating URLs and grabbing their entire database? Very possibly.
Do I think you could incur five figures of legal headache in either scenario? Yes, I think you could, depending on how savvy the "victim" is and how close to "fight or flight" you push them.
Yes, but that's with many, many laws, right? It depends on the prosecutor, defense, and jury.
The way it's been described so far, the reporter thought he had found an undocumented API...which, totally speaking out of guesswork here, could be as simple as seeing the json file being passed through the web inspector, seeing that there's an id field, and then iterating across it. The person has no expectation that when the id is of a private object, that the service would actually return that data.
As with most (but not all) criminal statutes, the intent matters. If you can clearly demonstrate that you had no intention of actually accessing information you weren't authorized to see, and, better yet, that you didn't set out with an express purpose of abusing someone else's application in order to gin up the material for a for-profit news story, you'll almost certainly end up OK... if by "end up OK" you mean "excruciating legal drama that concludes in your favor".
Let me be clear: I don't think Kickstarter is going to go after the WSJ, or even that most companies would raise a huge stink about this.
To be honest, if I changed an ID on a URL, I expect it to say "not found" or "not authorised" if I am not allowed to see it.
If it doesn't say such things, than I can expect that it is ok to view.
That is what I have come to expect of such web pages.
Should I be able to say "But.. you aren't meant to go there!" ? At what point does your legal boundary lie for what is considered a public webpage and what is considered "not authorised."
What matters is intent. Did you intend to go there with the purpose of violating some agreement? Or did you stumble there by accident. I think that makes a difference.
I can't seem to find the article now but wasn't there a story a while back about someone who was able to access other people's bank accounts by just incrementing the User IDs in the URL?
Only in the white hat sense of security research. This isn't anything that existing, legitimate security companies don't do routinely. He contacted them before publication, and while the timeline isn't clear it seems that the fix was live before the article was.
If the WSJ did anything more than what Kickstarter can reasonably claim the minimum required to confirm they had something worth reporting to Kickstarter (note: a very different standard than "minimum required to confirm a bug") then no: call it "white hat" or "security research" or whatever else you want, but under the law it is very likely unauthorized access, and it's merely community norms protecting anyone at the WSJ who took part in exploring this bug.
Do not fuck with other people's web applications unless you're sure it's OK.
It's OK at Google and to an extent it is OK at Facebook, because both have published policies. I think that's what you should do for your applications, too; if you don't, the other community norm is "no policy means report the bug to Twitter instead of your security contact".
You're obviously not going to go to jail (in the US) for not being careful about this stuff, but you can easily cost yourself 5 figures worth of legal fees and a whole lot of time and energy.
I know it's just a detail, but when the WSJ doesn't know what borough Kickstarter is in (not Brooklyn, as the story reports), it casts some doubt on the other facts in the story.
Kickstarter projects had a 46% success rate in 2011. But this figure only includes projects they approved to be listed on the site. I have always wondered what percentage they reject. With 70,000 private projects what can we conclude about the real success rate?
I've discovered a bug, I think) too last days.
I was logged into my account wandering around, then I responded to somebody on my Gmail (somebody who had a project on Kickstarter)...then I went back to my account and I saw I am logged in now as the person I've just responded to!
I took screenshots of her account, I logged out and logged back into my account.
I sent an email to Kickstarter but I had no response from them. I still have the screenshots.
That makes no sense [to me]. I can't work out any plausible or implausible reason that would happen when you used gmail. How would your cookies change to your friends? Has she used your PC before?
25 comments
[ 6.6 ms ] story [ 82.4 ms ] threadDon't they have logs?
http://www.kickstarter.com/blog/kickstarter-api-bug
>>Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).
Kickstarter said it patched the security hole on Friday afternoon, after The Wall Street Journal began analyzing the exposed data.
Does that sound to anyone else like the WSJ just openly admitted to deliberately hacking Kickstarter?
https://twitter.com/#!/jsvine/status/202068880724729857
This is something that based on a few precedents, probably wouldn't be considered hacking. This includes the Democrat operative who uncovered a meant-to-be-private audio recording belonging to Gov. Arnold Schwarzenegger by going to the governor's public file server and moving up the directory tree:
http://articles.latimes.com/2006/sep/13/local/me-audio13
(disclosure: I'm friendly with the OP in the small world of devs)
*edit: obviously the AT&T ID case would be precedent too. But it seems the WSJ made prior notification before publication.
There is absolutely no provision whatsoever under the law that scales the severity of unauthorized access with the difficulty of the technical countermeasure you circumvent. Unauthorized access is unauthorized access. There could be no security countermeasure in place whatsoever and you could still run afoul of this.
This is a very common misconception among tech people about how the CFAA works.
That's where I see ease of access coming into it: If you really don't take any effort to keep me out of something (even as little as telling me "stay out"), how do I distinguish that unauthorized content from content I'm authorized to access — and not only that, but make the distinction before I access it?
Do I think you'd be convicted for manipulating URLs and grabbing their entire database? Very possibly.
Do I think you could incur five figures of legal headache in either scenario? Yes, I think you could, depending on how savvy the "victim" is and how close to "fight or flight" you push them.
The way it's been described so far, the reporter thought he had found an undocumented API...which, totally speaking out of guesswork here, could be as simple as seeing the json file being passed through the web inspector, seeing that there's an id field, and then iterating across it. The person has no expectation that when the id is of a private object, that the service would actually return that data.
Let me be clear: I don't think Kickstarter is going to go after the WSJ, or even that most companies would raise a huge stink about this.
That is what I have come to expect of such web pages.
And it said "Coming soon."
And someone found out they can goto http://thisisstep2.com/.
Should I be able to say "But.. you aren't meant to go there!" ? At what point does your legal boundary lie for what is considered a public webpage and what is considered "not authorised."
This is good behavior, not bad.
Do not fuck with other people's web applications unless you're sure it's OK.
It's OK at Google and to an extent it is OK at Facebook, because both have published policies. I think that's what you should do for your applications, too; if you don't, the other community norm is "no policy means report the bug to Twitter instead of your security contact".
You're obviously not going to go to jail (in the US) for not being careful about this stuff, but you can easily cost yourself 5 figures worth of legal fees and a whole lot of time and energy.
Source: http://www.kickstarter.com/blog/2011-the-stats
I took screenshots of her account, I logged out and logged back into my account. I sent an email to Kickstarter but I had no response from them. I still have the screenshots.