HACKER Q&A
📣 bughunter99

Where is the line between white and grey hat hacking?


I found a bug on a debt collector's website, because when I opened it to pay a small debt I had I noticed it was clearly built by an amateur. I got nervous about how they were handling my payment information and started prodding around dev tools. Within 5 minutes I found a bug that let me pull arbitrary debt records using only a numeric ID. It was a bit of a rabbit hole but it really didn't take long to find. These records often include last 4 of social security numbers, physical addresses, phone numbers, and of course the debt info itself. Judging by the ID numbers I tried, there are many of them.

This debt collector is used by major telecoms in the US. I tried emailing them and got no reply.

I didn't exploit the bug severely, but had to pull a few records to verify that the bug is real.

The reason I'm posting about this is I found it very enjoyable finding this bug and want to do more of this kind of research, for a few reasons (fun, learning, clout, $).

I have some questions for more experienced people in security research:

- Is this greyhat hacking? Or whitehat?

- Did I do something illegal or unethical? Is doing this putting me at risk even if I have good intentions and responsibly disclose?

- If they repeatedly ignore me, what do I do? Contact the CFPB? Publish it on a blog?


  👤 zeroEscape Accepted Answer ✓
I'm no expert but based on my understanding...

Whitehats are basically people who do what is legal whereas grayhats do what they think is right. For example: Say you are sitting on the toilet and your neighbor comes into your house and takes $10 out of your wallet and leaves. Also, let's say you see him but have no proof. Legally, you cannot break into his house to take the money back. You need to report it to the police etc. Of course, if you have no proof, then there isn't much point in reporting it. I think a lot of gayhats would just walk into their neighbor's house the next time he leaves and take the money back thus avoiding all the red tape.

Regarding what you did... It's not exactly certain because it seems like you kind of did it by accident, at least initially. Generally speaking, you need permission to hack someone. Someone can give you explicit permission or they can give people in general permission. Regardless, if you don't have permission, I believe you are supposed to stop immediately, inform the business and if they don't give you explicit permission, continuing to hack them would be illegal. If you continue, then that would be grayhat hacking. Illegal, not necessarily unethical.


👤 zzo38computer
One thing to possibly try is to see if their web server has a file named "security.txt" (try in the root directory and in the ".well-known" directory). It might not, but that is a way to find information about reporting security vulnerabilities, if the file is present.

👤 gtirloni
I can't explain this any better than the answers here:

https://security.stackexchange.com/questions/13760/found-sec...

TL;DR; What you have done can be considered illegal in many countries, US included.

I'd consider what you did grayhat hacking (you were not requested to do a pentest, you want to do the right thing, you possibly didn't inflict any damages).

Yes, using your real name to report it to the company could put you at risk.

If you want to do this sort of work, look for bug bounty programs and abide by their rules (each program has different rules, what you're allowed to probe, etc).

If they repeatedly ignore you, it means you already made the mistake of contacting them in the first place. Count yourself lucky and move on. Do not under any circumstances publish how to hack this company on a blog.

If you want to contact the authorities because you think there is a great risk to society, do so anonymously.

IANAL. Good luck.