Hacking or not hacking

[Skak2000]

I friend of my works at a very small business. The god a new intranet one of my friends works in a small company.

 

They have recently got a new website to share news, information, etc.  The website has a public and an internal area. The internal area req. login example a calendar.

 

My friend discovered that if you have direct link/deeplink to the internal calendar, the page can be accessed without logging in.

 

Now the company claims that he has hacked the website. (They have fixed the problem so that the calendar and other pages cannot be accessed without login)

 

As IT professionel I will say that not hacking, but bad configuration and setup.

 

What do you think? Hacking or not hacking 

[KidKid]

12 minutes ago, Skak2000 said:

I friend of my works at a very small business. The god a new intranet one of my friends works in a small company.

 

They have recently got a new website to share news, information, etc.  The website has a public and an internal area. The internal area req. login example a calendar.

 

My friend discovered that if you have direct link/deeplink to the internal calendar, the page can be accessed without logging in.

 

Now the company claims that he has hacked the website. (They have fixed the problem so that the calendar and other pages cannot be accessed without login)

 

As IT professionel I will say that not hacking, but bad configuration and setup.

 

What do you think? Hacking or not hacking 

Well, I'd consider it hacking, especially if the internal calendar contains private or high security information, otherwise I'd just call it a little mischief.

[LogicalDrm]

Using normal functions is not hacking. If anyone could have found it, then its mistake on developers side, not hacking. If one needs to have knowledge about IT development, has looked at source code to find things etc., then its hacking. If they have done so in order to cause issues, gather information or blackmail, then its cracking.

 

If someone finds asset (phone, bag, laptop, car) and returns it to owner, they are stealing anything. If they have used methods other than what anyone can do, then its stealing or accessing without permission. Even if doing so just to return to owner. If they have done something malicious, then its pure theft. Calling something hacking when its your own fault is just about trying to shift blame. 

[Kisai]

20 minutes ago, Skak2000 said:

I friend of my works at a very small business. The god a new intranet one of my friends works in a small company.

 

They have recently got a new website to share news, information, etc.  The website has a public and an internal area. The internal area req. login example a calendar.

 

My friend discovered that if you have direct link/deeplink to the internal calendar, the page can be accessed without logging in.

 

Now the company claims that he has hacked the website. (They have fixed the problem so that the calendar and other pages cannot be accessed without login)

 

As IT professionel I will say that not hacking, but bad configuration and setup.

 

What do you think? Hacking or not hacking 

Any normal functionality is not hacking, and if it's a security hole, that's not the employee's fault. This is how S3 buckets leak FYI.

 

It bears repeating that "hacking" requires a motive. Me hitting F12 to look at the dev console is not hacking. I can change anything in the dev console, it affects YOUR site zero. If your site doesn't sanity check data sent to it, that is YOUR problem, not mine. All these "Client-sided" garbage mobile-first apps are too quick to trust the user isn't going to delete stuff from it.

 

And LET ME TELL YOU, any time I see a paywall, yet I saw the content first? I hit F12 and delete the paywall. I'm not stupid, and you just presented a challenge to me. That paywall is still there. You had the balls to send me the site before you demanded money. Nuh uh, extortion ain't gonna work on the web.

 

 

[ToboRobot]

7 minutes ago, LogicalDrm said:

Using normal functions is not hacking. If anyone could have found it, then its mistake on developers side, not hacking. If one needs to have knowledge about IT development, has looked at source code to find things etc., then its hacking. If they have done so in order to cause issues, gather information or blackmail, then its cracking.

 

If someone finds asset (phone, bag, laptop, car) and returns it to owner, they are stealing anything. If they have used methods other than what anyone can do, then its stealing or accessing without permission. Even if doing so just to return to owner. If they have done something malicious, then its pure theft. Calling something hacking when its your own fault is just about trying to shift blame. 

hacking can be exploiting normal functions of a system.

I hacked school computers by guessing passwords and using the normal function of the system to gain access to the network I should not have had.

[Skak2000]

Basic if a user bookmark the page where the internal calendar is the user did not need to login...

[Kisai]

8 minutes ago, ToboRobot said:

hacking can be exploiting normal functions of a system.

I hacked school computers by guessing passwords and using the normal function of the system to gain access to the network I should not have had.

 

Nope. Because typing the wrong password and hitting the reset button is not hacking. 

 

Only these cases count as hacking:

- "you are accessing a system (eg the server)" + "with an intent to aquire information you were not supposed to have"

- "you are accessing a hardware device" + "with an intent to operate/access/open it, without permission"

- "you have physical access to hardware/software" + "with an intent to exfiltrate data NOT already present"

 

This is why most "Website hacking" is just not a thing. If it only exists in the web browser cache, it's not hacking. A permalink to a content object is not hacking. That is your setup not doing proper permission checking, and entirely on you. If someone gains access to the backend, and edits the HTML to go "tez wuz here", vandalism/defacement, that is hacking, but that is again, likely a mistake on the administration of the server's part.

 

When we get into the difference between hacking and cracking things are more black and white. Cracking is by definition "safe cracking", or willful, often bruteforce, attempts to get into something without permission through force, even if it's destructive.

 

 

[Needfuldoer]

Reminds me of the time I got in trouble for "hacking" the school computers in third grade. I somehow accidentally saved my Storybook Weaver project on C:\ instead of A:\, then searched for it in Explorer and dragged it to A:\.

 

Sounds like "you made the computer do something I don't understand" still equates to "hacking" to luddites with authority. 

 

Normal operation of a computer is not "hacking".

[LogicalDrm]

7 hours ago, ToboRobot said:

hacking can be exploiting normal functions of a system.

I hacked school computers by guessing passwords and using the normal function of the system to gain access to the network I should not have had.

Trying to access something that you aren't supposed to be accessing is cracking. Inputting wrong password and wrong username and getting it correct first time would be lucky. You were cracking easy passwords, not just using basic functionality.

[ToboRobot]

13 hours ago, LogicalDrm said:

Trying to access something that you aren't supposed to be accessing is cracking. Inputting wrong password and wrong username and getting it correct first time would be lucky. You were cracking easy passwords, not just using basic functionality.

Words games are silly.

Authorized computer access is hacking, all the authorities will punish you for it.

To repeat, exploiting normal functions of computer systems can be part of hacking, legal/ethical or not.

go read Computer Fraud and Abuse Act 1986.

[AbsolutelyNot]

6 hours ago, ToboRobot said:

Authorized computer access is hacking, all the authorities will punish you for it.

If the webserver is setup to authorize access to an internal resource to everybody, then it's literally authorized. It's not hacking, it's misconfiguration. Otherwise you could put your website on the internet, make it completely open, and then write in small print in your license agreement that "actually, you're not allowed to access any of this, so if you do as much as open the front page, you're committing a felony, mkay?". 

Another example: if my account has access to an internal document, because I need it for work (so, I'm supposed to have access), and I save a link to this document on my work machine, and then open it and get access to it, but authorization in my browser is actually expired at this point, I'm not "hacking". And, actually, I suppose that's exactly what happened.

The business owner (or whoever is responsible for this communication process) is not very bright, that's all. The OP's friend has done nothing wrong, and not only that, he/she is doing them a favor. They want to prosecute the friend. Well, next time nobody's telling them about stuff like this. They will find it out the hard way.

[Avocado Diaboli]

Walking into an unlocked door on someone else's property is still trespassing. So yeah, it's hacking by strict definition, but not malicious. The term "hacking" in and of itself is neither good or bad, it just factually describes an activity. At worst, it's white hat hacking, given that said friend found the vulnerability and reported it instead of exploiting it. So if the company is just claiming that that friend hacked something, they're likely correct. But that shouldn't come with any repercussions. In fact, they should thank that friend for reporting it in the first place.

[starsmine]

I mean its one thing to claim its hacking, its another to put any punishments, or threats of punishments in place for it.

is it hacking? ... only by a classical definition. It is in no way true in the colloquial modern sense.
is it unauthorized... kinda? but also not really since there was no attempt to authorize the user so one has to assume that it was a public usable landing page. 

if there were any repercussions, fight back. if there weren't any who cares.

[Caroline]

boomer or millenial normie bosses use the word hacking as a wildcard, if you guess the password on a keypad based on how worn out the numbers are that's not hacking or tampering with the equipment, bros take zero accountability for their own mistakes. If the system had such a massive security flaw that means they went for the cheapest possible webdev and then went surprised pikachu when they learned the website was dogshit. "Boy, everyone's stupid but me"

 

first fuck up don't have internal and public stuff on the same domain

On 3/8/2025 at 11:35 AM, Kisai said:

And LET ME TELL YOU, any time I see a paywall, yet I saw the content first? I hit F12 and delete the paywall. I'm not stupid, and you just presented a challenge to me. That paywall is still there. You had the balls to send me the site before you demanded money. Nuh uh, extortion ain't gonna work on the web.

[starsmine]

2 minutes ago, Caroline said:

boomer or millenial normie bosses use the word hacking as a wildcard, if you guess the password on a keypad based on how worn out the numbers are that's not hacking or tampering with the equipment, bros take zero accountability for their own mistakes.

Bro bringing in generational hate when it doesnt even apply, and then uses the wrong generations.

millennials all fought with dos based windows growing up man.