It sounds like he spent two months extracting data through a flaw that's existed for years and then bragged about it after it got closed to his egregious usage.
Is this considered normal or ethical behavior for a security researcher?
Hopefully it wasn't just closed to him, but closed to everyone else too.
> Is this considered normal or ethical behavior for a security researcher?
weev did something similar (scraped 100k phone numbers from Apple, then shared them with a journalist) and was convicted and sentenced to 41 months in prison for it.
Yes, but the overturn wasn't based on urls, or scraping, or disclosure, or security, or damages, it was based on him being charged in the wrong state. The court system still thinks everything else about the case was fine.
accessing an API? I question how ethical what he did is, but I don't see how it is illegal. I think it's a lot like scraping, which LinkedIn failed to sue people for.
I doubt it's currently illegal, but I don't think it's impossible to make it illegal. Accessing the API enough to prove a flaw and report it is one thing. Getting 17 million PII records over the space of 60 days is orders of magnitude beyond that.
Especially given that things like GDPR and and the CCPA are drawing clear boundaries around private data and how companies can use it, it shouldn't be impossible to make laws that regulate how third parties access and use that data.
I'd also hope that Twitter faces regulatory penalties and perhaps civil liability depending on the harm done.
There's nothing white-hat about this. He accessed as much private data as possible, and didn't report the vulnerability to Twitter or to affected users.
Of course what Ibrahim did wasn't full disclosure either, so he shouldn't be fully congratulated. But bragging about it was better than keeping silent about it in this case.
Is this considered normal or ethical behavior for a security researcher?