Today I ran across Patrick Webster's story from Australia and he wasn't so lucky. He noticed that his bank's web application allowed for any customer to view another customer's account information, including very sensitive data that could allow for identity theft. This type of insecure direct object reference vulnerability is very simple to exploit. Mr. Webster just changed a numerical parameter in the URL to discover the problem. He reported it to his bank, who decided to report him to the police. It's not like this guy was a determined attacker with premeditation who spent weeks doing reconnaissance on the site. That said, he clearly went too far by running a script that "cycled through each ID number and pulled down the relevant report to his computer". That wasn't necessary to report the vulnerability.
Another example is Andrew Auernheimer who is potentially facing 5 years in prison due to his AT&T "account slurper" script. Again, he went too far with the script, but clearly he might've been prosecuted anyway. One of the comments on this story was humorous:
You seem to be implying that every exploit can be anticipated. The article points out that AT&T changed their code after discovery of the hack. There is no indication that they knew it was a problem before hand.Web app vulns can and should be anticipated.
