I find this partially interesting but mostly lucky.
I don't see this hack raking a lot of dollaroos. "stealing" someone's account would be far more dangerous. That said I'm surprised that Patreon will just let people recycle accounts like this without even a second step.
This is no different than DNS parking after a domain fell off the wagon, only with direct revenues.
Not lucky- just deceptive. Deception is what scammers do, and they do it because it’s guaranteed to make money, not because they hope to get lucky.
I’m not advocating this. Doing this was wrong, and it’s not some black hat exploit. It was a scam; pretending to be someone to make money off of an unwitting victim.
Interesting! Lot’s of more active scams like this happening in merchandising. I started doing merch for YouTubers back in maybe 2007 and in the last 3-4 years the scams have really picked up.
For some time the most well known youtubers would receive spam replies on all of their tweets with links to counterfeit merch sites.
If you search for the the top handful of YT creator names on Amazon or eBay you’ll find loads of bootleg merch (sometimes with hundreds of reviews!)
Digital locksmiths here are generally applauded as ingenious. This tale is not at all surprising except that the OP fessed up in the end. The morality aspect is moribund, in an ocean of tracking, data mining, fake accounts, yes fraud, and the general disregard for other peoples hard work (those you don't see, you don't feel for).
is this an exploit I remember there was an "exploit" that reregistered the urls from old tweets of celebs or verified users that had used now expired link shorteners
Nah. It's not fraud if they don't get any benefit from it. Since they refunded the single, solitary person who pledged $3/month, then shut it all down, it's all good from the fraud angle.
It's wire-fraud and it's a federal crime. "Refunding people" doesn't change the fact that a crime has been committed, period. This isn't a legal advice.
I am not a lawyer, but I doubt refunding your fraud victim after the fact gets you off the hook for fraud. If the victim or the police wanted to pursue that.
I think it might make it difficult to prove intent to defraud if you immediately return the cash. Is it theft if a magician picks your pocket but then returns the wallet at the end of the trick? By the most technical sense of the term, it might. But i can't imagine a prosecutor that would go after something like that.
I see what you're trying for but I don't think the magician analogy is accurate. Bare minimum you agreed to sit and watch the magic show, and every time I've seen a magician involve the audience they always start with "Can I get a volunteer?", at which point it's clear you're a willing participant (yes, you don't know what's about to happen, but the magician gives the wallet back after so it's clear about the entertaining show and not an example of the magician attempting to commit a crime)
> Is it theft if a magician picks your pocket but then returns the wallet at the end of the trick?
If a "street magician" randomly picks my pocket out of the blue, you can bet I consider that theft, even if they give it back afterwards. They'd better get my consent to do anything with my person or my property.
A dead comment asked if stealing 100 dollars if fine if you give it back.
So I'll chip in that for basic theft, one of the core elements is intent to permanently deprive the original owner. So if someone steals money, changes their mind, and then returns it, that's still theft. And taking money to spend, with a promise of returning money later, still counts as theft. But if the intent all along was to return it the next day, stored safely the entire time, that's not theft.
Obviously intent is hard to prove, so don't try to pull that off without a lot of evidence and/or a very understanding target.
> But if the intent all along was to return it the next day, stored safely the entire time, that's not theft.
Legally, this isn't even remotely true.
If you deprive someone of their legal possessions without permission, even with intent to return it later, you are guilty of theft.
There is no loophole that allows you to temporarily steal things as long as you intend to return them.
Intent only comes into play if the person had no intention of depriving the other person. An example would be if you accidentally pick up someone else's jacket because you thought it was yours.
The parent isn't claiming that it's legal to take something so long as you have intent to return it. Just that the standard definition of theft requires "permanently" as an element, and maybe taking something temporarily would be some other crime.
See the model penal code[1] "(1) "deprive" means: (a) to withhold property of another permanently or for so extended a period as to appropriate a major portion of its economic value, or with intent to restore only upon payment of reward or other compensation"
See [2] which mentions the "permanent" requirement three times.
We’re so deep into pedantry that we’re missing the point of the conversation.
To clarify, most jurisdictions have definitions of theft that will be true even if you only deprive the person of their property for a short period of time:
> Today, many states have extended the definition of theft to include depriving the owner of the property even for a short period of time, thus rendering unauthorized borrowing as theft.
So yes, maybe there is some jurisdiction somewhere that wouldn’t define unauthorized borrowing as theft, but chances are good that if you borrow something without authorization, you can be guilty of theft (among other things) in most jurisdictions.
> Yes, it happened to be used by someone else previously, but how is that his fault?
Fraud is deception with the intent of personal gain.
He wrote and published an entire blog article entitled "How I exploited existing youtube videos with a fake Patreon profile" in which he describes how he registered a Patreon account with the expectation of deceiving users into sending him money.
He confesses that it was a black hat "proof of concept", but he's refunded the money and reported things to Patreon.
Patreon, and ANY website that has user's profiles as permalinks, should reserve ANY account name that has been deleted to prevent squatting.
I'm not sure how this works with the right to be forgotten laws though; I have a gut feeling that you can have your profile deleted and the leftover URLs and permalinks just go to 404 or other kinds of placeholders.
Then you are leaking info about previous (or private) existence of the resource. If I recall correctly github does 404 for existing private repos, for example.
The writer at the end refunds the money and messages Patreon to fix the issue, I think that would go massively in his favour in the rare change it ended up in front of a judge.
I was going to leave this alone, but it's important to point out this is not white hat..
This world still be black hat (or arguably grey hat)...
White hat would have been realizing the possible problem and informing the company without actually making the account (or, with only making the account or prove the link, but not taking money from anyone)
You could possibly argue that if the author "cheated himself" only, that's okay... E.g. paid themselves through patreon... Assuming the author eats the cost difference and doesn't refund.
The author actually defrauded unaware visitors, intentionally, he has caused harm to them, patreon (financially or good will/name), and the money transfer networks; this is at a minimum grey hat... Sure, the end user donating was made whole, but other business entities were harmed... Someone eats that transaction fee.
By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.
If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.
Legal consequences aren't the only form of consequences. In this post the author mentions their (legitimate) business.
If I was a potential customer looking into said business and found this post I would be very offput by the lack of morals. The strongest condemnation we receive for literal theft is they "didn't want to", the author barely even seems to understand why their behavior is immoral.
Did you read the post to the very end?
I don't see anything immoral, he just spotted a weakness in Patreon, warned Patreon and wrote a blog post about it. Nothing wrong here.
The author makes no mention of warning Patreon about this weakness, unless you're counting this blog post as the warning.
They clearly attempted to impersonate the original owner of the page, using a description and artwork suggesting they were the original owner.
The second to last paragraph features the author fantasizing about how much money they could make by defrauding people. Quote: "This plan could be pretty profitable!"
Like yeah, in the end they took down the page and refunded the patron. But the author made the wrong choice at essentially every step prior to that moment.
The author didn't just "spot a weakness in patreon", they attempted to (and managed to) commit wire fraud. The fact they had little success and later returned what they stole is relatively little consolation.
Not as uncommon as you think. Many people realize without knowing much about the law that breaking the law can be a great business plan. They just converge upon ideas that are illegal naturally and unperturbed by the potential problems.
Ironically this is also a bit of an entrepreneurial advantage. A trained corporate management drone will be aware of all the bad things that can happen and has been paper trained by lawyers to be frightened of doing anything illegal. The sweet spot is when it's something that's just slightly illegal or just a matter of civil law, but the danger zone is in something like this which is just fraud.
I am just saying that in security, while it can be very difficult to always find where the line between ethical and unethical conduct is; and what will get a company to pay attention to an issue without getting yourself arrested;
What I AM saying is that this person blew so far past that line that I wonder if they are even aware that one exists.
All without even considering that, maybe, "that time last week when I committed wire fraud" probably isn't the best topic for a blog post.
Do I think that the author was acting maliciously or in bad faith? No. But the US justice system has a really nasty habit of not taking facts like these into account; as Aaron Swartz tragically learned.
Tl;dr "it's just a prank, bro" is not an effective legal defense, and prosecutors fucking LOVE convicting hackers.
Why fraud? If we are talking about criminal law, the requirements to convict a person are strict. In this case the author has not claimed neither on Patreon or YouTube to be someone he is not. He has not falsified any data/documents and has not stolen any account, since the one he claimed was available.
Sketchy? No doubts. Fraud? Doesn't seem like it at all.
In the UK it could be technically counted as fraud by false representation. The legal hurdles for this are:
* The patreon page was misleading (this post shows it was, including the use of old links and imagery to show association to a YouTube channel which was false)
* The person making it knows it might be misleading (they did - they said so in this post)
* The intention was to make a gain in money for themselves, others or to cause a loss to someone else. This includes situations where the gain in money is only temporary (again, technically yes.)
I'm not saying they should be charged with it as clearly they didn't mean to cause harm and were doing it to raise awareness, but it does seem to fit the definition.
Not related to the subject of the post, but for anyone interested OP seems to run a stock portfolio tracker for dividend investors, which he mentioned briefly (his blog mostly concerns his investing endeavors). It seemed pretty cool to me and is in need of support, so I'll leave the link here:
I don't see this hack raking a lot of dollaroos. "stealing" someone's account would be far more dangerous. That said I'm surprised that Patreon will just let people recycle accounts like this without even a second step.
This is no different than DNS parking after a domain fell off the wagon, only with direct revenues.