Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Defeating access control by using credentials that aren't yours is fraud.

Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.



I see, thanks.

No credentials involved here, though.


TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.

The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.


The question a judge (or jury) would answer is: would a reasonable person think they had permission to access it?

API documented on the website under a section called “For Developers”? Probably, yes. API reverse engineered by intercepting requests? Probably not.

Note that the blog was taken down before I could read it myself.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: