Comment by GrantMoyer
5 days ago
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
5 days ago
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
People have been prosecuted under that act for clicking "view source" on their web browser. The crime itself is irrelevant. It's more about who you are/what connections you have/who you piss off.
Has there actually been a conviction purely for "viewing source"?
That was a real news story. A journalist looked at the state's educator-credentials checker, viewed the source and saw it had teacher's SSNs in base64 somewhere in the plaintext. Missouri Governor Mike Parson then tried to legally threaten the journalist. Honestly, if this case wasn't as high-profile, I think he might have got a conviction, at least in state court.
https://www.theregister.com/2022/02/15/missouri_html_hacking...
exactly, the more interesting question: would anyone be willing to prosecute a Meta executive over this? Sadly, I expect no.
This only works if you control the code on both sides (ie. on the website being visited and an app running on the phone). It's not some sort of magic hack that allows you to exfiltrate arbitrary browser history. Therefore it's unclear how it can be construed as "hacking" in any meaningful way. As bad non-consensual tracking done by google/meta/whatever are, it's not covered under CFAA.
I agree it's not hacking, but the Computer Fraud and Abuse act seems to have a pretty broad definition of computer fraud and abuse. In particular, the technique seems like it might (emphasis mine) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …". Would the other person have a reasonable belief that they didn't authorize access to information which their OS attempts to prevent access to?
I'm not a lawyer, so my question is genuine.
The yandex one uses client/browser-side code to exfiltrate; it’s within the realm of possibility to abuse this, given a user visits a site under your control.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.
I don't know, you're purposefully abusing oversights to completely bypass the sandbox. It's an exploit for sure in my mind, and it seems very intentionally done. Like, it was done this way specifically because it allows them to circumvent other protections they know existed.
Yes