The author found a vulnerability, extracted data they should not have had access to, processed the data (aggregated, anonymized), then published the data. Isn't everything starting from "extracted" illegal? Or is it a gray area where "the server would not have provided the data if I were not authorized to receive it" -- in spite of the author's admission that it was acquired via a vulnerability?
Yeah, this seems like it was a real bad idea on his part. If AI Dungeon get pissed by this, it could be bad for him. He clearly has gone past what is considered reasonable by extracting all this data to shame them into fixing it.
Agreed. Retrieving a single random record was enough to prove vulnerability. Analyzing several days worth of data (why??? What does that prove???) crosses the line firmly into black hat territory.
I guess if someone provides an api via graphql it’s hard to tell if it’s intended to be used publicly or not, and to what extent that use is permitted. The site and app both use that api end point and going there gives you a nice page with full documentation of how to do every query plus an online IDE.
One might pull the data then start to wonder if they were supposed to get it only after they begin reading specifics that seem private.
Considering he had already found and reported this vulnerability before, and then took the time to write this report about it, that's not what happened here. He knew it was a vulnerability, he used it purposely to download private data and he looked into it. Not only could AI dungeon sue him for this, also the owners of the data (the people playing AI dungeon) could.
There have been cases of ethical hackers who found a vulnerability and abused it to download a disproportionate number of records being convicted, at least in the Netherlands. It didn't matter that their goal was just to show it to the website owner. So if you're an ethical hacker reading this, I would strongly advise you to only download the minimum required to demonstrate a vulnerability (preferably your own data, or one record), and not do what this person did.
The data was retrieved by mass-upvoting unpublished documents and using an obscure GraphQL feature to extract fields that aren't part of the explicit interface.
I don't think you could do any part of that while assuming it's intended as normal use.
Agreed, this is a really bizarre article. It starts with "following responsible disclosure procedures..", and then you scroll down and the author says they downloaded millions of entries and then... checked to see how much of it was NSFW(!!)?
