Hello guys this is my first post @ DP, i have been lurking the Legal Issues forum and think this is the forum for my question.. First i want to be a White Hat, A whitehat hacker is someone who discovers (or attempts) exploits for good use So recently i came across a "PasteBIN" link that had over 200 websites that were vulnerably to sql injection ( this would give me access to the whole database and you could potentially hack the website ) I tested one website that was inactive since 2005, and it worked, didnt do anything just got access -------------------------------------------------------------------------- So what i want to start doing is alerting the site owners via Contact Us or the Who.is domain email This would be the layout of the Email Hello Sir/ Madam, I came across your website and have found flaws in your security These flaws are ....... and give me access to..... I will be willing to show you how to fix this, and show you the right means to repairing your website and making it 100% secure. Email me back if you want my help. Thanks, Skilledx0ut But my problem is if i start sending these emails could they get me in trouble?, like start blaiming me saying "hold on you have been hacking my website, and start trying to say that ive been hacking?, when all i will be trying to do is help them?"and if they do say that is there any legal action they can take against me?
Generally speaking, a white hat hacker will have gained permission to test the security of someones sites before making any attempts to gain access or breach their sites in any way or form. So, generally speaking, what you have done is wrong. Yes, you can argue that what you are doing/have been doing, was for their benefit, but at the end of the day, you have done something wrong. The action that they could take, would be dependant on the level of trace you left, linking you to any access gained to their site (i might point out, that telling them via email is pretty much admission), however, remember, should you be in a different country, it starts to become a little more grayed out. You could point out, you "set up a test site" (a little white lie), and as above, mention the exploits and what damage this could lead to. Ultimately, it's up to your discretion, should you contact these people. Though if you did it, I would recommend not mentioning the site you tested it on.
Yes you would need permission first. Soliciting via pen testing then emailing the client is very shady and will only result in giving you a bad rep and perhaps causing legal issues of your own.
There is no such thing as "whitehat hacking". By its definition hacking is hacking There is such a thing as penetration testing but that is when a site/ server/ network owner requests others to simulate hacking to test the sites levels of protection. Irrespective of "intent" it would be illegal in the UK for you to have attempted to gain unauthorised access to their servers and so if a complaint was made to the police they would (in theory) have to follow it up and could result in a criminal record. Obviously this will vary by country. It is up to you of cause if you want to admit to your hacking to the sites owners, though you may want to put it slightly better such as a "simulated pen test". I suspect most receivers will simply delete your email, a few will give a rude reply and a small number may be interested in your services or will look to have their security improved by others. I think you would be unlucky to have someone do anything more serious and if your in a certain countries your probably safe from any legal ramifications but there is always an outside chance and it depends if you think its worth the effort. To be honest, those that want pen testing done tend to be larger organisation and then they go to established names that use a lot of automated tools for doing it - a former client had all 100+ servers pen tested every night with a full RBAC dashboard for the relevant people to see the results in realtime etc. If you think you want to make a legitimate income out of your skills at hacking your generally better off installing your own versions of products and trying to hack your own sites and then informing the vendor/ creator of the security holes you've found. Unlikely to get directly paid for it but can result in job offers or at least paid tester freelance work
Astaroth has nailed it there. You will be in a world of trouble. Not only will you potentially be making an admission of criminal activities, you could also end up being accused of blackmail, depending how you word it.
I am wondering why you would want to do that? I wouldnt like someone getting in my house and then calling me to let me know ive left my window open. If you are trying to help website owners out then why not set up a security auditing/pen test/security consulting business?
I mean, unless they have proof, they can't put anything on you. But why do that and get accused of spamming?