Depending on whose side of the story you hear first, headlines about “Security Researcher Arrested” tend to result in feelings of either anger or sympathy for the individual in question. Many of the circles I travel in tend towards the latter; “how dare the authorities come down on someone reporting a security hole”. And that’s often what the researcher in question has done – found a vulnerability then reported it to the company involved. But when we see someone arrested and in some cases successfully prosecuted, there’s usually more to it than that.
Take Dave Levin in Lee County who back in Jan, helped put together a video on security flaws he’d found in Lee County’s Supervisor of Elections Office. I suggest taking a few minutes to watch that first and forming your own opinions… then reading about how as of a few days ago, he found himself a guest of the local constabulary.
Now firstly, in Dave’s defence, the oversights on that website were egregious to say the least. SQL injection flaws alone are bad enough, but based on the video they also seemed to be especially trivial both in terms of how easy it was to locate and then their ready exploitability using Havij. This is a freely available and somewhat simplistic automated SQL injection tool that he’d allegedly learned how to use via an online course. Some years ago, I did a video on how my then 3-year-old could use it to exploit a sample site I’d created. When your site is getting popped that easily, you’ve got serious issues that need fixing.
However, we need to look at it from the other side too. Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private). The vulnerability was then recorded and published to YouTube after which the site owner was notified. In this particular case, I suspect there may also have been some politics at play. [Correction: I've been advised that whilst the the video was recorded before reporting the incident, it wasn't made public until after Dave confirmed the vulnerabilities had been rectified.]
Frequently, with a risk like SQL injection, a single request with a single erroneous character is enough to establish with a fairly high degree of confidence that a risk exists. For example, a URL with a query string such as ID=123 may return an internal SQL exception to the page if a single quote is appended thus malforming the underlying query. That exception won’t return any personal data and it won’t get you arrested (certainly I’m aware of no precedents), but it’s enough to demonstrate an underlying risk.
Often the defence on behalf of the researcher is that they need to go further in order to convince the organisation involved of the severity of the risk. For example, when Andrew Auernheimer pulled the personal data of 100,000 iPad owners out of AT&T. Patrick Webster did a similar thing with First State Superannuation down here in Australia. Just last year it was a man in the UK testing VTech’s security. All of these cases exploited serious (dare I even say “unforgivable”) flaws in the company’s websites but all also accessed huge amounts of personal data and lead to the involvement of law enforcement and many headlines of “Security Researcher Arrested”.
So keep that in mind when you’re watching the headlines and especially if you’re the one doing the research. Stop early, report ethically and may headlines about you be nothing but positive.