Wow, this is a great question. Over at ProgrammableWeb, we have seen A LOT of unauthorized APIs turn up over the years. In fact, when we've discovered them and added them to our directory, we are sometimes asked (occasionally threatened) to take down our directory entry. These APIs are sometimes developed via the scrAPI route, while other times a debugger as been used to watch what a native mobile app does, while still other times, the service provider has simply divulged WAY too much in their client-side Javascript. However it was done, I agree there is a moral dilemma.
If I were to make a suggestion, it would be to report it to the company so that they can learn about how to better secure the API from your hack. I think that outweighs the efficacy of publishing the API to the public. But I guess it depends on what you're looking for; notoriety in the hacker community (you can't put that Pandora back in the box) or a reputation for discretion. Either one will get you credibility. Just in different forms.
One additional option would be to write about how you did it as sort of an instructive piece to hackers and service providers alike (perhaps anonymizing the service in the process). If this is something you are interested in doing, I would gladly pay you for the right to publish that article. Let me know.
If I were to make a suggestion, it would be to report it to the company so that they can learn about how to better secure the API from your hack. I think that outweighs the efficacy of publishing the API to the public. But I guess it depends on what you're looking for; notoriety in the hacker community (you can't put that Pandora back in the box) or a reputation for discretion. Either one will get you credibility. Just in different forms.
One additional option would be to write about how you did it as sort of an instructive piece to hackers and service providers alike (perhaps anonymizing the service in the process). If this is something you are interested in doing, I would gladly pay you for the right to publish that article. Let me know.
David Berlind Editor in Chief ProgrammableWeb