The Ethics of Probing Web Applications
I have observed a trend recently that has me internally debating the ethics of the practice. Security professionals are probing public web sites for vulnerabilities, then going through a “responsible” disclosure process with the owners of the site. Then they blog about their exploits and how responsive the owner was to being notified.
How is this different than traditional hacking by the bad guys? Does the disclosure process make it any better? Does the fact they do security for a living and write for security journals make it more ethical? And what of the applications that are vulnerable to routine exploits? What does one do with a successful SQL injection query that just gave you a table full of social security numbers?
On the surface, it seems unethical to me. Attempting to break access controls, even if they are weak, is unethical and maybe illegal. Doing something untoward against another computing resource for which you do not have authorization is treading on thin ice.
But there’s another side to the story here. Applications are moving more towards the software-as-a-service, or SaaS model. Whereas once you would have been able to download the software and legally and ethically reverse-engineer it, now the application is only hosted on another computer. This changes things in a big way, since you’re working on someone elses computer now.
The argument could be made that since the application is public, then there is an expectation that it wil be poked and prodded, so it might as well be the good guys who do it. The bad guys aren’t going to go through a responsible disclosure process, so by the good guys testing the application and making the flaws known to the application owner, everyone benefits (as long as they actually fix it). It can also be said that for security to continually improve, we have to continually test it. If the world is moving towards a web-centric model, we have to move with it.
Honestly, I can see both sides; yet, I am still left with the feeling that, in many cases, it’s nothing more than the security guy trying to have some fun and make a name for himself. If that’s the case, he should carefully consider what that name may be.
It’s a great question, one that I struggle with on a regular basis. Here are my additional issues:
example: I sign up for service with a new bank but I realize that their website is custom made and probably has more holes than a block of swiss cheese. If i poke at it, I am breaking the law, there is no doubt in my mind about this. But what about my information? What rights do I have as a consumer to ensure that my data, privacy, and money are being adequately protected?
Secondly: As a security professional my job is to combat the hackers, to know what they know, and to figure out how to stop them. My route to this end has always been to know what they know by learning it, but you can’t learn all the different ways somebody can do SQL injection by watching a video or reading a white paper or even testing in your own lab, this often requires “real world” targets. Now I get real world targets as part of my job, but how do I stay sharp for my job?
My question for legality, ethical hacking for sport vs. plain hacking…. If you walk around a neighborhood and simply turn door handles to see who’s door is unlocked, is that illegal, or does it only become illegal once you open the door and step foot inside? The difference between the two assailants is that the ethical hacker finds the door open, then rings the doorbell to tell the owner that this is not a good practice… It’s like neighborhood watch ;)