This will only be an ethical tool when everyone is honest about the fact that an AI is moderating, and people can reedit their posts. If you give admins the option to disable reediting, in order to hide that an AI is controlling, then they will do. And then it's a tool for suppression of free speech.
AFAIK, what this dude did - running a script which tries every password and actually accessing personal data of other people – is illegal in Germany. The reasoning is, just because a door of a car which is not yours is open you have no right to sit inside and start the motor. Even if you just want to honk the horn to inform the guy that he has left the door open.
This isn't directly applicable to your point, but I need to correct this. They weren't guessing tons of passwords, they were were trying one password on a large number of accounts.
For clarification, here's the actual quote from the article describing the process:
> I verified the issue with the minimum access necessary to confirm the scope - and stopped immediately after.
No notion of a script, "every password" out of a set of a single default password may be open to interpretation, no mention of data downloads (the wording suggests otherwise), no mention of actual number of accesses (the text suggest a low number, as in "minimum access necessary to confirm the scope").
Still, some data was accessed, but we don't know to what extent and what this actually was, based on the information provided in the article. There's a point to be made about the extent of any confirmation of what seems to be a sound theory at a given moment. But, in order to determine whether this is about a stalled number generator or rather a systematic, predictable scheme, there's probably no way around a minimal test. We may still have a discussion, if a security alert should include dimensions like this (scope of vulnerability), or should be confined to a superficial observation only.
> That's it. No rate limiting. No account lockout.
To me, if he confirmed that there’s no rate limiting on the auth API, this implies a scripted approach checking at least tens (if not more) of accounts in rapid succession.
Granted. I guess, unless it's applied very aggressively, assessing the existence of rate limiting may require some sort of automation (and probably some heuristics – how much data points do you actually need? do you have to retrieve any data at all, while looking for a single signal? The article doesn't tell.) Same goes for lockout.
On the other hand, as mentioned already, all that's required is really looking for a return code and not for any data. Is accessing an API endpoint the same as retrieving data? Is there proof or evidence of intent of the latter? I guess, there remains much to be defined. Especially, if it's not so much about protecting reputation than it is about protecting data and ensuring trust, and the intent is to protect and secure this in the first place.
Maybe the law should be changed then. The companies that have this level of disregard for security in 2026 are not going to change without either a good samaritan or a data breach.
I understand why the author thought that way, but showing up with private data that the company is obligated to protect complicates things quite a lot more.
I've dealt with security issues a number of times over my career, and I'm genuinely unsure what my legal obligations would be in response to an email like this. He says the company has committed "multiple GDPR violations"; is there something I need to say in response to preserve any defenses the company may have or minimize the fines? What must I do to ensure that he does eventually delete the customer data? If I work with him before the data is deleted, or engage in joint debugging that gives him the opportunity to exfiltrate additional data, is there a risk that I could be liable for failing to protect the data from him?
There's really no option when getting an email like this other than immediately escalating to your lawyers and having them handle all further communication.
It should, and that SOP is essentially always going to say something like "file a tracking ticket and immediately forward to legal for all further conversation". It sounds like the author really was just trying to be a helpful guy, but the typical person who emails a company about "multiple GDPR violations" is absolutely trying to get them in trouble, and a random developer with no comms training risks putting their foot in their mouth in legally consequential ways.
You don't need to retrieve other people's data to demonstrate the vulnerability.
It's readily evident that people have an account with a default password on the site for some amount of time, and some of them indefinitely. You know what data is in the account (as the person who creates the accounts) and you know the IDs are incremental. You can do the login request and never use the retrieved access/session token (or use a HEAD request to avoid getting body data but still see the 200 OK for the login) if you want to beat the dead horse of "there exist users who don't configure a strong password when not required to". OP evidenced that they went beyond that and saw at least the date of birth of a user on there by saying "I found underage students on your site" in the email to the organization
If laws don't make it illegal to do this kind of thing, how would you differentiate between the white hat and the black hat? The former can choose to do the minimum set of actions necessary to verify and report the weakness, while the latter writes code to dump the whole database. That's a choice
To be fair, not everyone is aware that this line exists. It's common to prove the vulnerability, and this code does that as well. It's also sometimes extra work (set a custom request method, say) to limit what the script retrieves and just not the default kind of code you're used to writing for your study/job. Going too far happens easily in that sense. So the rules are to be taken leniently and the circumstances and subsequent actions of the hacker matter. But I can see why the German the rules are this way, and the Dutch ones are similar for example
If the nontechnical team is refusing to forward it to whoever maintains the system, they apparently see no problem and you could disclose it to a journalist or the public. Or you could try it via the national CERT route, have them talk to this organization and tell them it's real. In some cases you could send a proof of concept exploit that you say you haven't run, but they can, to verify the bug. You can choose to retrieve only your own record, or that of someone who gave consent. You can ask the organization "since you think the vulnerability is not real, do you mind if I retrieve 1 record for the sole purpose of sending you this data and prove it is real?"
In jurisdictions like the one I'm most familiar with, it's official national policy not to prosecute when you did the minimum necessary. In a case where you're otherwise stuck, it's entirely reasonable to retrieve 1 record for the sake of a screenshot and preventing a bigger data leak. You could also consider doctoring a screenshot based on your own data. By the time they figured out the screenshot was fake, it landed on a technical person's desk who saw that the vulnerability is real
Lots of steps to go until it's necessary to dump the database as OP did, but I'll agree it can sometimes (never happened to me) be necessary to access at least one other person's data, and more frequently that it will happen by accident
That's still not your concern or your problem. You're not internet Batman. Opening up yourself to criminal liability for someone else's site is insane.
Yeeeeah, that's not how it works lol. Anyone who does offensive security for more than 5 minutes understands how little protection they have. And true anonymity is much, much harder than you think.
If you act in certain ways, you will probably not get in trouble but I have a lawyer on retainer for a reason lol
The harsh truth is you aren't protecting anything by doing this, because you can't control how (or if!) they fix the problem. All you're doing by accessing the data is for-real committing a felony, and that is an incredibly stupid thing to do.
That doesnt necessarily track. He could have stolen the data, then reported it to clear his own name. He did access more data than he needed to prove that there is a likely breach.
It's not necessarily just Germany. Lots of countries have laws that basically say "you cannot log in to systems that you (should) know you're not allowed to". Technical details such as "how difficult is the password to guess" and "how badly designed is the system at play" may be used in court to argue for or against the severity of the crime, but hacking people in general is pretty damn illegal.
He also didn't need to run the script to try more than one or maybe two accounts to verify the problem. He dumped more database than he needed to and that's something the law doesn't particularly like.
People don't like it when they find a well-intentioned lock specialist standing in their living room explaining they need better locks. Plenty of laws apply the same logic to digital "locksmiths".
In reality, it's pretty improbable in most places for the police to bother with reports like these. There have been cases in Hungary where prestigious public projects and national operations were full of security holes with the researchers sued as a result, but that's closer to politics than it is to normal police operations.
And people wonder how the US can just turn off the electric grid of another country on demand...with laws like these, I expect there are local 6 year olds who can do the same.
The main problem I have this with real-world analogies we use for hacking is we assume that, like a home owner, these companies ultimately care about security and are in good-faith trying to make secure systems.
They're not. They're malicious actors themselves. They will expose the absolute maximum amount of data they can with the absolute maximum amount of parties they can to make money. They will also collect the absolute maximum amount of data. Your screen is 1920 by 1080? Cool, record that, we can sell that.
All the common sense practices we were taught in school about data security, they do the opposite. And, to top it off, they don't actually want to fix ANYTHING because doing so threatens their image, their ego, and potentially their bottom line.
No expert but I assume anything you do that is good faith usage of the site is OK. And take screenshots and report the potential problem. But making a python script to pull down data once you know? That is like getting in that car.
Real life example of fine would be you walk past a bank at midnight when it is unstaffed and the doors open so you have access to lobby (and it isnt just the night atm area). You call police on non emergency no and let them know.
This is exactly what I thought. The person did something illegal by accessing random accounts and no explanation makes this better. Could have asked his diving students for their consent, could have asked past students for their consent to access their accounts - but random accounts you cannot access.
Since this is a Maltese company I would assume different rules apply, but no clue how this is dealt with in Malta.
How the company reacted is bad, no question, but I can’t glance over the fact how the person did the initial „recon“.
It's illegal in the US, too. This is an incredibly stupid thing to do. You never, ever test on other people's accounts. Once you know about the vulnerability, you stop and report it.
Knowing the front door is unlocked does not mean you can go inside.
Don't comment on topics you know nothing about. Nothing this guy did is illegal in the US. Everything this guy did followed standard procedures for reporting security issues. The company apparently didn't understand anything about running a secure software operation and did everything wrong. And there in lies the problem. Without civil penalties for this type of bad behavior, then it will continue. In the US, a lawyer doing this would risk disbarment as this type of behavior dances on the edge of violating whistleblower laws.
I know exactly what I'm talking about, I'm a security engineer lol. Who has worked with plenty of lawyers.
Yes, this is absolutely illegal. The CFAA is pretty fuzzy when it comes to vuln reporting but accessing other people's accounts without their permission is a line you don't cross. Having a badly secured site is usually not a crime, but hacking one is.
Several jobs ago, some dumbass tested a bunch of API keys that people had accidentally committed on github and then "reported" the vulnerability to us.
The in-house atty I was working with was furious and the guy narrowly avoided legal trouble. If he'd just emailed us about it, we'd've given him something.
Also, whistleblower laws are for employees, not randos doing dumb shit online.
Obfuscate? I can learn tailwind and use it in dozens of projects. I can use tailwind in my project and onboard dozens of developers immediately. I can learn your CSS conventions and use them in exactly one project.
He wrote "learn your CSS conventions" which implies that every team and every project will have a different set of conventions. Hidden inside that statement is the fact that he just accepted that Tailwind should be THE CSS convention, something I personally disagree with but to each their own.
No. Tailwind is a way of writing css, not a convention. By “your” convention I’m referring to the problems with the cascade, ie naming classes and so on. I’m not saying tailwind is the only other way. There are many ways to write CSS but doing it with something bespoke for your situation is usually a bad idea.
Like my answer below, that's wrong. Even I have achieved a few draws or even wins against Stockfish in training games, and I am FM strength. From time to time you are happy to reach a simple rook endgame which happens to be won and the engine doesn't anticipate that (horizon effect). You still draw or lose 90% of those but you win 10%.
Either the engine was misconfigured, the hardware you were playing on was glitching or you are omitting something. There is no chance in the world that you can beat stockfish in standard time control.
Just because you can not do it it does not mean that others can not do it. If you search for Lichess games where strong players play against (edit: strongest!) Stockfish (which, admittedly is not the full throttle Stockfish) you will find that Stockfish by far does not win all the time. Such is a claim which only inexperienced chess beginners and Stockfish fanboys make. Stronger players know that Stockfish is relatively better, and by a far margin, but – obviously – does not win all the time due to the huge drawing range in chess. Admittedly, winning a game gets more and more difficult with every year. And, to make you happy, I have never beaten Lc0.
> If you search for Lichess games where strong players play against Stockfish ([..]) you will find that Stockfish by far does not win all the time.
I'm sure some of those games are actually stockfish v stockfish or something similar. Its pretty easy to run stockfish or lichess locally and copy the moves from each engine back and forth.
@josephg (for reasons I do not know there is no reply link below your post)
Sure, some people are cheaters. Some are not. There is no personal win in cheating against Stockfish. Usually strong players do it for training purposes, or to entertain their watchers when they stream. I actually remember having seen one who did that, and he drew. That was a party.
Yes. I hear this claim from above: "Some humans can beat stockfish."
Evidence given: "There exist some small number of games on lichess.org played against stockfish where the user won."
My counter argument is that games on lichess against stockfish don't imply a human beat stockfish. It could just be that stockfish (or other bots) can sometimes beat stockfish. And some humans surely use bots to play on their behalf in order to cheat in online games.
I don't know if any humans can beat stockfish. But I don't consider that to be strong evidence.
> My counter argument is that games on lichess against stockfish don't imply a human beat stockfish. It could just be that stockfish (or other bots) can sometimes beat stockfish. And some humans surely use bots to play on their behalf in order to cheat in online games.
Also, Lichess' Stockfish runs in the browser (with all the slowdown that entails), plus is limited to one second of thinking time even on the highest level. It also has no tablebases and AFAIK no opening book. Even if you _can_ consistently beat Lichess Stockfish level 8, there's still a very long way from there to saying you can beat Stockfish at its maximum strength, which is generally what people would assume the best humans would be up against in such a duel.
People generally don't play unencumbered engines anymore because the result isn't interesting.
Well, there is nothing I can do to prove to you that I did, as I can not travel into the past taking you with me. I know, I did win two or three games and drew approximately 25 out of approximately 500 training games. But I can not prove it. You have to believe or not.
I believe you. I just suspect stockfish was misconfigured, it wasn’t playing at its highest skill level or something similar was going on. That seems more likely. (I’d love to know for sure though).
Yeah his claim is quite absurd really. If it was a weaker stockfish (bad hardware, older version etc.) then maybe. Modern stockfish pretty much crushes any and everyone. A draw alone would be extremely impressive, and maybe doable with enough luck from a top player. But even that is very far fetched nowadays. Let alone actually winning.
Elsewhere in the thread he revealed that he achieved these results around the year 2015, which means we was playing against Stockfish 6 or earlier, estimated to have about 400 less ELO than today's Stockfish 18. Stockfish 6 didn't even have NNUE, so the real issue seems to be that he thinks his results from 2015 hold any relevance to the chess engines of today.
No not at all! You can find plenty of videos on YouTube of humans taking down 2015-era stockfish. Usually it involves exploiting specific weaknesses in the engine, for example bringing the game to a stalled position where the game nearly reaches the 50 move rule, and then the engine makes a disadvantaged move to avoid a draw.
Especially pre-NNUE, chess engines were often not fully well-rounded, and therefore a human with specific knowledge of the chess engine's weaknesses could take it down with enough attempts.
Would you be willing to bet money that you can beat a properly setup stockfish, no piece odds and even time controls? I'll give you literally any odds you name and let you try an unlimited number of times until you give up. 100% serious.
P.S: You should not take this bet. You will lose. You are mistaken if you think you beat stockfish.
If you're betting against modern stockfish, respectively, that's a terrible bet.
There are some games of knight odds Leela playing superGM's.
For example, Hikaru Nakamura went 1 win, 2 draws, and 13 losses against LeelaKnightOdds at 3 minutes + 2 sec increment:
https://www.youtube.com/watch?v=pYO9w3tQU4Q
So that's a score of 2 out of 16. Which is apparently actually very good. I know Fabi played a lot of games too, and also lost almost all of them.
And that is with knight odds lol. And stockfish is ever better than Leela, but generally less aggressive and more methodical.
You clarified in another post that you had won back in 2015. I have no clue the strength of engines back then (I imagine still very strong of course), but a decade of growth is a lot. They're completely insane nowadays.
I doubt that. Stockfish 11 years ago as you claim (which around then was rated approximately 2800), maybe. Stockfish today? Stockfish on Lichess is 3000 and that's not even running at full capacity. A fully supported Stockfish running on top hardware is currently 3650ish. It can avoid known draw lines and stalemate lines, and could absolutely crush the likes of Magnus.
Further, if the engine does not use an opening database and the thinking time per game is the same, then the engine will usually make the same moves, so you can learn from your errors. There are just a few chess engines which "learn" per default and therefore change their moves, like BrainLearn.
I have achieved these results around 2015, sitting at home, relaxed. I was not in a match situation observed by millions. Such a situation can knowingly lead to blunders like Kramniks overlook of mate in 2.
I also sometimes "cheated" by aborting the game when I was tired and continuing it the next day (if at all). That's what the player in a match can not do.
I also sometimes restarted a game at a specific position. Can also not be done in a match. Finally, they used better hardware in these matches. I had eight threads on my old Laptop and I used four of them. The Laptop itself was bought around 2005. Between 2000 and approximately 2020 I trained every day and I was on my peak. I am still around 2400 on Lichess today, without training.
So, I hope it does not sound that extraordinary any more. It isn't. Maybe it is now, but not then.
2015 stockfish is quite a different beast from 2026 stockfish. Stockfish didn't even add NNUE until 2020.
Based on what data I can find, it's estimated that the difference between the 2025 stockfish (stockfish 6) and today's stockfish (stockfish 18) is nearly 400 points.
That's the difference between Magnus Carlson at his peak and someone who doesn't even have enough rating to qualify for the grandmaster title.
So yes, the fact that you beat stockfish in 2015 doesn't sound extraordinary, because AI today is vastly stronger than it was when you achieved those results. What sounds extraordinary to people is your belief that you could repeat those results against today's top chess engines.
Out of sheer curiosity, I did a bunch of research to understand just how dramatic a 350 point rating gap is in real word chess. Magnus Carlson, for example, has a 98% win rate against players >350 rating points lower than his own, with zero recorded losses.
In fact, there is only one game I could find in all of Chess history (Anand vs Touzane, 2001) where a super GM (rating >2700) dropped a classical game to someone more than 350 points below theirs (gap: 402 points). (it's estimated that there are between 2000 and 3000 classical games in history played between Super GMs and players >350 points below them) And it could easily be that Anand was ill, or suffering some other human condition which made his play significantly worse than his typical play for that game - which you would not see from a computer engine.
In other words, the Stockfish that you beat in 2015 would itself be expected to get 3-5 points (that is, 6-10 draws and 0 wins) in 500 matches against the best chess engine of today. The delta in strength is immense, and it is reasonable for everyone else in this comment thread to assert that you would have zero chance at all of picking up a draw against Stockfish 18 in a fair game of any time control, regardless of how many matches you played.
I do not know the time controls anymore, but I always use the latest Stockfish with all available threads. No opening book, but I do not repeat lines to take advantage of that, because I play to train calculation. I guess hash was the (for my setup) normal 4096 MB.
Latest Stockfish with all available threads and no opening book is still well beyond any human. Elo ratings get a bit silly with computers, but we're talking an Elo of well north of 3000.
For reference: The last serious match between the top human player and an engine was Brains in Bahrain, Kramnik–Fritz 7, in 2002 (already that should tell you something). Well, actually a broken and buggy version of Fritz 7, but that's another story. It was a 4–4 tie. On the latest CCRL list, Stockfish 18 outranks Fritz 8 (the oldest Fritz version on the list) by 947 Elo points _on the same hardware_. (For comparison, Magnus Carlsen's peak rating is 65 points higher than Kramnik's peak rating.)
Add to that 24 years of hardware development, and you can imagine why no human player is particularly interested in playing full-strength engines in a non-odds match anymore. Even more so in FRC/Chess960 where you have absolutely zero chance of leading the game into some sort of super-drawish opening to try to hold on to half a point now and then.
A fair match has never been played between humans and computers. Let's say we have a fair match:
* 100 games, to have some statistical relevance.
* One move per day, so that being tired is no disadvantage (engine can ponder all day).
* Human has access to endgame tablebases and opening databases, like the engine.
* Human can make notes and has a software like Chess Position Trainer, which can min max, like the engine.
If the human is a GM with Elo 2700+ I predict 25 draws and 5 wins for the human. The engine wins 70 games.
> Rating Stockfish against a human scale, such as FIDE Elo, has become virtually impossible. The gap in strength is so large that a human player cannot secure the necessary draws or wins for an accurate Elo measurement.
You're way off the mark here on modern engine strength.
There are many examples of top players playing Leela Knight Odds. And none of them even got remotely close to a decent record. Usually a few draws, and maybe a win. But almost entirely losses.
And that is with knight odds. Without that, zero chance.
2. Add a 150% size bonus to your site.
Otherwise, cool site, bookmarked.
reply