Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: I've reversed-engineered a private API, now what?
4 points by nnd on Dec 15, 2014 | hide | past | favorite | 3 comments
I'd like to discuss the ethical aspect of using a private API.

I was able to reverse-engineer a secure HTTP API of a website with over 10 million users to enable access from third-party clients (one has to authenticate with their login and password). This hack allows you to access you own data on the website, that's it, there is no malicious intent.

I have several options here:

* publish it on a popular blog and wait for the company to act on this (they probably won't be too happy) * report the vulnerability to the company, and when the fix it, publish the information

I really want to publish this hack, as it could be useful for others to learn how to reverse engineer APIs, and I also believe there is no reason why said API should be private in the first place, they should open it.

What would you do?



Wow, this is a great question. Over at ProgrammableWeb, we have seen A LOT of unauthorized APIs turn up over the years. In fact, when we've discovered them and added them to our directory, we are sometimes asked (occasionally threatened) to take down our directory entry. These APIs are sometimes developed via the scrAPI route, while other times a debugger as been used to watch what a native mobile app does, while still other times, the service provider has simply divulged WAY too much in their client-side Javascript. However it was done, I agree there is a moral dilemma.

If I were to make a suggestion, it would be to report it to the company so that they can learn about how to better secure the API from your hack. I think that outweighs the efficacy of publishing the API to the public. But I guess it depends on what you're looking for; notoriety in the hacker community (you can't put that Pandora back in the box) or a reputation for discretion. Either one will get you credibility. Just in different forms.

One additional option would be to write about how you did it as sort of an instructive piece to hackers and service providers alike (perhaps anonymizing the service in the process). If this is something you are interested in doing, I would gladly pay you for the right to publish that article. Let me know.

David Berlind Editor in Chief ProgrammableWeb


Where are you based?

In the EU, this isn't a problem. You're free to reverse engineer the structure of APIs/protocols/data formats to integrate third party apps with it.

Morally, I don't think there's a problem either. Heck, you could build something cool on top of it. That's what I would do.

I don't even see reverse engineering APIs as a vulnerability. A ton of APIs (i.e. used in mobile apps) can easily be reverse engineered.


What is your goal? It sounds like the moment you publish, you expect the company will close the API. So you will actually be blocking third-party clients.

How about making your own third party client, but not publishing the API details until they are closed?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: