Bug hunters face online-apps dilemma

Security holes in online applications may go unreported because well-intended hackers don't want to risk going to jail.

Security holes in online applications may go unfixed because well-intended hackers are afraid to report bugs.

Web applications pose a dilemma for bug hunters: how to test the security without going to jail? If hackers probe traditional software such as Windows or Word, they can do so on their own PCs. That isn't true for Web applications, which run on servers operated by others. Testing the security there is likely illegal and could lead to prosecution.

"There are more legal dangers to testing an application that is hosted on somebody else's system. That is a real challenge of this new application model," said Wendy Seltzer, an assistant professor specialized in Internet law at New York's Brooklyn Law School.

As a consequence of the legal threat, well-intended "white-hat" hackers often credited with finding bugs in traditional software are hesitant to audit Web applications. This means that online applications don't face the same scrutiny as traditional software and serious security holes could be left for unscrupulous criminal hackers to find them.

"We're losing the Good Samaritan aspect of security," said Jeremiah Grossman, chief technology officer at Web security company WhiteHat Security. "If it's illegal to find vulnerabilities in Web sites, it means only bad guys know where the vulnerabilities are. This is one of the big issues in information security as we shift to a Web 2.0 world."

Caleb Sima, chief technology officer at rival Web security firm SPI Dynamics, agreed that the legal threats effectively make Web applications less secure. "If a vulnerability existed, it would be the black hat hacker that would find it because they don't care. That causes Web apps to be less secure," he said.

The onset of what's become known as Web 2.0 is causing a splash, as it stretches the boundaries of what Web sites can do. But as sites become rich with new features, offering an experience akin to desktop applications, the security risks also increase, experts have said.

Bug hunting has been a legal gray area for people who probe desktop software. They may be breaking the law when they take apart, or reverse-engineer, software sitting on a PC. But the law is clear-cut when it comes to Web sites, said Jonathan Zittrain, professor of Internet governance and regulation at Oxford University's Internet Institute.

"The venerable Computer Fraud and Abuse Act in the U.S., and corresponding laws in other countries, criminalizes unauthorized access to a machine, including 'exceeding authorized access.' The point of a hack to expose a security vulnerability (in a Web application) is usually to do just that," Zittrain said.

Prosecutors could use several laws to go after security researchers who break into an online application, but the Computer Fraud and Abuse Act is the primary one. It provides for a fine or up to a year in prison for somebody who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage."

"It is a problem for people who do have the public interest in mind and who are trying to expose flaws that are putting people's privacy or information at risk," Seltzer said.

Featured Video