Comment by 0xDEAFBEAD
2 months ago
Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?
2 months ago
Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?
You don‘t need to sell the vulnerability to them, or even tell them the vulnerability is there. Just set up an API and bill them by the query.
This ignores tptacek's points in the top-level post.
> [...] a bug that Google can kill instantaneously, that has effectively no half-life once discovered, and whose exploitation will generate reliable telemetry from the target.
You can't set up unmask-as-a-service because it's going to take you longer to get clients than it will take Google to shut down your exploit.
Yes, but:
1. It can still take a while before Google finds out
2. You can log every mapping you got in the meanwhile, then keep selling the ones you already have
Edit: although probably most of your business will be over when word gets out that your data isn’t exactly legal (which your clients have understood from the start, of course; they could just plead ignorance)
4 replies →
I’ve seen a light version of this, where a “marketing data” company was scraping baby shower gift registry pages and selling the data to an infant formula company in the US.
The scraping was def in violation of the EULAs. Product data is one thing, but I believe this group was combining it with other sources and selling the identities and context as a bundle.
An API is too much work. Grab the addresses for the top 100,000 YouTubers and sell that csv on the dark web.
What happens when the first to buy the CSV starts selling it themselves?
1 reply →