An Australian teenager has accepted a caution from police rather than face hacking charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.
Joshua Rogers of Melbourne accepted the caution, he told IDG News Service via email yesterday. He will not face charges, and the caution – an acknowledgement that he broke the law – will be expunged from his record in five years if he does not commit the same offense in that period.
Rogers’ hacking case illustrates the fine line that computer security researchers tread when hunting for software vulnerabilities on public websites.
Large technology companies such as Google and Facebook encourage security researchers to probe their sites and pay rewards for supplying security information. The rewards are paid on the condition that researchers do not share the information publicly until the problem has been fixed.
But without that kind of blessing, hacking activities that may be research could easily be considered malicious and violate computer crime laws.
Rogers found a SQL injection vulnerability on the website of Public Transport Victoria (PTV), which runs the state’s transport system. The type of vulnerability affects databases that do not filter certain kinds of input correctly.
Rogers found he gained access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. He maintained he downloaded two or three records from the database as part of his research, then deleted the data.
He notified PTV of his findings via email on 26 December, a public holiday in Australia, copying 13 employees of the agency on the correspondence. After not receiving a response, he contacted Fairfax Media. Its Melbourne paper, The Age, covered the story.
At the time, PTV decline to comment and said the incident was under investigation. Then in May, between six and eight police officers came to Rogers’ residence and seized various electronic equipment, including USB sticks, his Samsung phone, a laptop and a server, Rogers wrote on his blog.
Rogers was interviewed at a police station the same day and told he may have violated a computer crime law that prohibits “unauthorized access, modification or impairment with intent to commit a serious offense.”
According to Australia’s Cybercrime Act of 2001, the offense is punishable by between five years and life in prison. On 2 July, police gave Rogers the option of admitting he broke the law by signing the caution.
“The other option was to go through the whole process of being charged, and then going to court,” he wrote via email. “It’s not like I could have said ‘I didn’t do it!’, after all.”