White, Grey & Black Hat Hacking

When Talking about hacking there’s a few different common terms that come up. These terms convey the intent, permission & motivations behind the way someone is hacking.

Legality

All hacking (including white hat) can be illegal in various ways, so don’t think just because you pick one of these that you’re free of legal scrutiny ^{1 2}. This changes over time, and per country, but you should look into your legal risk before doing any work on systems in particular for any situation you should:

1. Ask permission first before trying an exploit.
   • Importantly you need to get in writing that you’re allowed to do what you’re doing. Even if someone hires you there should be a record, or they can say they never gave you permission.
2. Disclose all exploits
   • If you come across an exploit while intentionally or unintentionally using an application you should disclose it. The two common types are responsible disclosure, and full³. Many places will have bug bounty programs exactly for this^{4 5}
3. DO NOT COLLECT DATA
   • If you are able to get data from a system do not store it. Storing stolen data is illegal in pretty much every country, especially user data

Doing all of this does not guarantee you legal immunity, it’s just the best practices to avoid most legal issues. Some countries have stronger stances on this ^{6 7} than others⁸ and that will effect legality a lot as well.

Types of Disclosures

It’s important to note when disclosing bugs there are 2 main types, public/full and responsible/private. Their names should give you some indication, but essentially a full disclosure is a disclosure of a bug publicly ^{9 10 11}. The philosophy of this is that people deserve to know their devices are vulnerable. By disclosing publicly it forces the company to resolve the issues, unlike private disclosures, which can often take years and can lead to “catch and kill”.

Private/responsible disclosures instead will report directly to the hardware/software developer directly so they can fix it without the knowledge of the public. This is often done through bug bounty programs where people are paid to find bugs. This also has the benefit of not allowing black hat hackers to use a bug while the developer is patching it.

There is a more in depth article on the ethics here.

White Hat

These are typically considered the “good guys”, the intention is to discover security vulnerabilities to help the affected systems, and importantly doing all this while they have permission to do so. White hat hackers would include people who are part of security analysis teams

Just because white hat hackers have permission does not always mean they are free from legal issues. For example a polish train service hired hackers to look into issues with a train when their warranty expired, and they are now being threatened by the manufacturer¹². Likewise agents working for governments of one country do not have permission from other countries for their work, and may find themselves being charged if they enter those countries.

Examples

• Companies that offer to do paid penetration testing
  • Penetration Testing Services | Pentesting | HackerOne
  • Penetration Testing Services for Security | BreachLock
  • White-hacking Services - White Hat Hacker Company - Enterprise Security - Kiss Software
• Polish Train DRM
  • Technical Details
  • Additional Sources, and legal threats
    • Trains were designed to break down after third-party repairs, hackers find | Ars Technica
    • Hackers Hit With Legal Threats After They Fixed a ‘Bricked’ Polish Train (gizmodo.com)

Grey Hat

This is essentially where you are hacking “for good”, in a legally or ethically ambiguous way. This is someone for example who is working on a system without explicit permission. This means that you are operating in a “grey-area”, since you don’t intend to do something wrong, but this doesn’t mean you are in the clear.

Some countries will “upgrade” grey hat hacking to white hat hacking if people follow responsible disclosure paths ^{6 13}. These laws change by country, but in some countries it is “safe” to test an exploit so long as you can demonstrate it’s sole purpose was to then disclose it to the company. Different countries have varying rules on this, but generally if you write up a disclosure (like a CVE) you can avoid the legal consequences. Realistically you should just go the “white hat” approach first, and reach out before testing, however if you accidentally find a vulnerability in many cases you should be protected so long as you disclose it to the company that makes the software or hardware you’re using.

Examples

• Google cloud hacking
  • Google Online Security Blog: Google Cloud Awards $313,337 in 2022 VRP Prizes (googleblog.com)
  • Hacking Google Cloud? (youtube.com)
• Zuckerberg Facebook page hack
  • Zuckerberg’s Facebook page hacked to prove security exploit | CNN Business
• Dan Kaminsky discovering Sony rootkit
  • Sony Numbers Add Up to Trouble (archive.org)
  • Sony BMG Rootkit Scandal: 10 Years Later | CSO Online
• TweetDeck XSS Vulnerability
  • TweetDeck vulnerability lets attackers execute code remotely - The Verge
  • The breaches continued: Twitter’s TweetDeck Hacked | Indusface Blog
  • Tweetdeck vulnerability found by teen trying to code emoji heart | X | The Guardian
  • Here’s how that major Tweetdeck vulnerability works - Vox
• Stuxnet
  • An Unprecedented Look at Stuxnet, the World’s First Digital Weapon | WIRED
  • Stuxnet explained: The first known cyberweapon | CSO Online
  • What Is Stuxnet? | Trellix

Black hat

Black hat hackers are essentially the “bad” side of hacking. This is people who are hacking illegally with the intention to be paid to exploit, and or sell exploits. Basically all forms of black hat hacking are illegal, including the less obvious forms like social engineering. It’s also important to be aware that in some countries even purchasing vulnerabilities can be considered illegal.

Examples

• NHS ransomware attacks
  • NHS ransomware attack spreads worldwide - PMC (nih.gov)
  • UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach | TechCrunch
  • NHS ransomware attack: what happened and how bad is it? | Cybercrime | The Guardian
• Ebay 2016 XSS attacks
  • XSS Flaw Exposed eBay Users to Phishing Attacks - SecurityWeek
  • Hackers still exploiting eBay’s stored XSS vulnerabilities in 2017 | Netcraft
  • eBay Falls Victim to Cross-Site Scripting Attack (bitdefender.com)
• Sammy worm
  • The MySpace Worm that Changed the Internet Forever (vice.com)
  • The Tale of Samy The Worm.. One of the greatest moments in hacking… | by Niall Leah | Medium
  • Samy (computer worm) - Wikipedia

Additional Reference and resources

• Hacker’s Grimoire - Hacker’s Grimoire (gitbook.io)
• LiveOverflow - YouTube
• John Hammond - YouTube

Footnotes

1. It’s Now Scary to Be A White Hat Hacker Thanks to the US Government (futurism.com) ↩

2. MERKBLATT White Hat Hacker EN.pdf ↩

3. https://www.helpnetsecurity.com/2023/11/27/eddie-zhang-project-black-vulnerability-disclosure ↩

4. Google Bug Hunters ↩

5. Microsoft Bounty Programs | MSRC ↩

6. US Justice Department won’t prosecute white-hat hackers under the CFAA | ZDNET ↩ ↩²

7. Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity? - CiTiP blog (kuleuven.be) ↩

8. License to hack? - Ethical hacking - Infosecurity Magazine (infosecurity-magazine.com) ↩

9. misc.ktemkin.com/fusee_gelee_nvidia.pdf ↩

10. CVE - CVE (mitre.org) ↩

11. Zuckerberg’s Facebook page hacked to prove security exploit | CNN Business ↩

12. https://gizmodo.com/hackers-hit-with-legal-threats-after-they-fixed-a-brick-1851097424 ↩

13. https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act#:~:text=The%20policy%20for%20the%20first%20time%20directs%20that%20good%2Dfaith%20security%20research%20should%20not%20be%20charged. ↩