Canadian police have arrested and charged a 19-year-old man who allegedly exploited the Heartbleed bug to steal personal data from the Canadian Revenue Agency‘s website.
The arrest of Stephen Arthuro Solis-Reyes, who allegedly grabbed 900 social insurance numbers (SINs) over a period of six hours, marks the first time that authorities have apprehended someone in relation to the bug in OpenSSL.
Solis-Reyes of London, Ontario, a student at Western University, was detained by the London Police Service and the Royal Canadian Mounted Police (RCMP) National Division Integrated Technological Crime Unit.
In a statement, Assistant Commissioner Gilles Michaud of the RCMP, said:
The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in "O" Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.
Following a search at his residence, and the seizure of his computer equipment, Solis-Reyes now faces one charge of Unauthorized Use of a Computer and one count of Mischief in Relation to Data contrary to Sections 342.1(1)(a) and 430(1.1) of the Criminal Code.
He is scheduled to appear in court in Ottawa on 17 July 2014.
Canada’s tax agency was one of the first major organisations to be impacted by the Heartbleed flaw and subsequently had to remove public access to its online services for four days in order to protect taxpayer information.
It’s unclear what Solis-Reyes’s motivations were. But it’s important to remember that while security researchers and other interested parties may like to think that testing for Heartbleed or other vulnerabilities may be ethical and useful in purpose, the law may not agree.
Such activity may not be regulated in every nation, but some countries certainly do prohibit the testing of security on third-party websites without permission.
Besides Canada, the US has the Computer Fraud and Abuse Act and the UK employs the Computer Misuse Act to outlaw such behaviour, regardless of intent.
While simply scanning a site to check for vulnerabilities is a violation that may not be enforced, it would still pay to think before doing so – what would happen if, for instance, your request returns more data than you expected, and some of that data contains personal information you ought not to have?
Furthermore, it should be obvious that actually exploiting any discovered vulnerabilities in order to gain unauthorised access to networks and data is a bad idea at all times. More so if the organisation in question is your national tax office.
If you do have legitimate concerns about a website’s security, the correct course of action would be to notify the owners and engage in responsible disclosure in a manner that doesn’t place other people’s data at jeopardy.