URL-Hacking: Do-it-yourself Navigation

Sometimes lawyers contact me about a case featuring URL hacking (or, as one such lawyer called it, “URL typing”). I haven’t yet been interested enough in a case to offer to do any writing or testifying for free. But I’ll summarize my position here.

  • If a company built a private warehouse, not intended to be accessed by the public, and I broke through the door and saw a secret, I would be in the wrong; the problem here is breaking and entering.
  • If a company built a gallery that was open to the public, and put its secrets out on the walls along with the material visitors are supposed to see, and I walked in when the gallery was open for business happened to see a secret, I have done no wrong; the problem is the company’s non-existent security.
  • If a company built an archive, where all visitors were expected to write down a catalog number and wait in the library while the clerk fetches it, and I ask the clerk to bring me “documents/2008/annual,” the clerk will probably first go to the shelf and see if such a document exists.
    • If it does exist, the clerk will check to see whether the document has a “Top Secret” tag on it, or an “Embargo until Dec 2007” sign, or a note that says “Only Bill, Sally, and Freddy are permitted to read this document.”
    • If the owner of the item has placed it in the archive without any restrictions whatsoever, the clerk would be expected to treat this request just like any other.
  • The problem is once again the company’s non-existent security.

In the archive example above, if I bombarded the clerk with hundreds of random requests, hoping to come up with something unexpected, that’s a very different matter from actually typing the URL out of a desire to get to a page that deductive reasoning suggests ought to exist.

Since some web pages are dynamically generated from URLs that include complex parameters, there is not a clear line between what counts as simply typing the URL and manipulating complex parameters in a deliberate attempt to alter the way the site’s designers expected the site to behave.

Of course, manipulating a system may be against the terms of an end-user license, student handbook, employment contract.

Just because a company’s website permits a hack does not automatically excuse all the actions carried out by the hacker. Most hackers are simply curious, seeking a faster, more powerful way to do something that seems slowed down by an unnecessarily tedious newbie-friendly process. URL hacking won’t help a user bypass a simple .htaccess password, and it won’t let user see sensitive material unless the webmaster has already placed that material on the website. —URL-Hacking: Do-it-yourself Navigation (Jerz’s Literacy Weblog)

I just added this section to an old handout.