Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-Disclosure Digest, Vol 83, Issue 21
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 19 Jan 2012 09:14:12 +1300

BMF to Valdis:

Yes, people *have* been prosecuted for playing "twiddle the URL" games
before.  I'd have to go dig up a cite, but it's happened (hacker was basically
abusing a site's predictable URL scheme).

Here is one relatively recent incident of "twiddle the URL" which got
someone prosecuted and will be familiar to some here...


That's not really "twiddle-the-URL is hacking" though.

They allegedly (cough, splutter!) knowingly and wilfully twiddled a 
specific URL in a specific way that they had already determined led to 
the exposure of account details of users other than themselves, et seq. 
If that is the case they clearly were in breech of all manner of 
"unauthorized access" laws.  That has little to do with true "twiddle-
the-URL is hacking".

To get a "purer" example of "twiddle-the-URL is hacking", I seem to 
recall that there was a German case back in the late 90s/very earlier 
00s where the court ruled that a trivial act of "URL pruning" -- taking 
a published URL and removing the tail, and/or traversing back up the 
directory tree exposed by the _published_ URL -- was an act of 
"hacking" (I don't recall the exact German legal issue/charge, but am 
fairly sure it was something other than a trivial/silly (mis-) 
application of "unauthorized access").

I can't be bothered trying to find a record of that case -- previous 
attempts last time I recall this issue arising in this list failed -- 
but I will refer you to a UK case from 2005:



Basically, given a URL like http://example.com/?foobar or 
http://example.com/foobar.php has been published in some way, and 
http://example.com/ has not, this case suggests that trying to access 
that second URL is an "unauthorized access" offence.  In particular, 
note from p. 2 of the PDF in the second URL, above:

   But the prosecution said that Cuthbert must have known the directory
   traversal was unauthorised. It was this interpretation the court
   accepted; in effect, overall intent was irrelevant, there were no
   circumstances in which there was consent for directory traversal.

This conviction seems to be pretty widely seen as a trivial/silly mis-
application of the UK's Computer Misuse Act "unauthorized access" 


There are bound to be other vaguely similar cases in the UK and other 


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]