White Hat Researcher Jailed for Exposing SQLi Flaws

jail-featA cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.

Vanguard Cybersecurity boss David Levin handed himself in on Wednesday and spent five hours in the Lee County Jail cells before being released on a $15,000 bond, according to local reports.

He had posted a YouTube video detailing his research, which found simple SQL injection flaws in the website of the Lee County Supervisor of Elections Office, using the popular Havij automated SQLi tool.

Dan Sinclair, one of the candidates currently running for the supervisor of elections position, appears alongside Levin in the video, although he was not involved in the research itself.

“Dave didn’t do anything wrong,” he’s quoted as saying. “This is political corruption.”

However, Troy Hunt, security researcher and owner of the Have I Been Pwned? site, argued that Levin was in the wrong as he could have demonstrated security weaknesses in the site without exposing personal data.

“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data,” he explained in a blog post. “That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private).”

He urged researchers to “stop early” and “report ethically” to avoid any similar legal repercussions in the future.

Levin himself seems to agree, posting the following tweet today:

“@troyhunt is right, and I let hubris get the best of me. From now on I’m asking myself, ‘What Would Troy Do?’ #WWTD”

He has been charged with three counts of unlawful access of a computer system after the incident in early January.

 

 

 

 

 

 

SOURCE: Phil Muncaster | Infosecurity Magazine

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s