White Hat Researcher Jailed for Exposing SQLi Flaws by Phil Muncaster.
The headline misleading and the lead paragraph makes the same mistake:
A cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.
It isn’t until later that you read:
…
“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data,” he explained in a blog post. “That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private).”
…
Watch the video that includes a screen capture not only of the attack, but of Dave Levin downloading files from the breached server.
All most people will read is “White Hat Hacker Jailed,” which is a severe disservice to the security community generally.
A more accurate headline would read:
White Hat Hacker Jailed For Screen Capturing His Crime
When you find a vulnerability you can:
- Report it, or
- Exploit it.
What is ill-advised is to screen capture yourself exploiting a vulnerability and then publishing it.
It’s true that corrupt politics are at play here but what other kind did you think existed?
No one, especially incompetent leadership, enjoys being embarrassed. Incompetent political leadership is often in a position to retaliate against those who embarrass it. Just a word to the wise.
PS: If you are going to commit a cyber-crime, best thinking is to NOT record it.