Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What part of "private API" is the one you don't understand? We could elaborate.


I wasn't aware companies could, by fiat, declare certain publicly available endpoints private, thereby compelling everyone by force of law to pretend they don't exist.


My bank's website is publicly available. That doesn't mean anyone is free to access my bank account. Just 'cause something is accessible on the internet doesn't mean you have the right to access it. Case law and statute goes back at least to the 1980s on this point.


The aforementioned tools do nothing whatsoever to grant to access accounts which aren’t theirs.


I know. That’s not what I said.


> That doesn't mean anyone is free to access my bank account.


People have gone to prison over guessable GET parameters

https://en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_emai...

https://www.praetorianprefect.com/2010/06/114000-ipad-owners...


Citing convictions overturned on appeal probably isn't the strongest evidence of illegality. (Because they were overturned on threshold issues that didn’t involve inquiry into the substantive merits of the charges, its not evidence against illegality, either, but...)


My point is people have gone to prison over GET parameters, not the legality of the it. DOJ has CFAA. Abusing private APIs is flying close to the sun. Even if you do get out of prison eventually


> My point is people have gone to prison over GET parameters, not the legality of the it. DOJ has CFAA.

And CFAA is limited by Van Buren.


They can. Now you know.


So, if I create a cat GIF API, but announce that it's a private cat GIF API only I am allowed to use, I can sue anyone else who uses it to retrieve a cat GIF?


Legally and literally: yes.

Knowingly using a private API without authorization can fall under CFAA, contract law, copyright law, trespass to chattel, etc -- and you can issue a C&D and/or sue for whatever is relevant.


These are the exact same “private API”s your browser utilizes when visiting chat.openai.com and require your own API keys granted to you by OpenAI.

Calling it illegal is utterly insane. It’s just a different user-agent and they’d prefer people use their official ones. OpenAI literally controls the keys so if they don’t want someone using an alternate mechanism, they can and will just ban the account.


My website is private. If you visit it I will sue you.

If someone bypasses authentication I understand but if your api is open on the public internet on purpose, you don't get to randomly declare what's private and what isn't.


> mycoolsite.com is the same as mycoolsite.com/api/bb8d4cc4-1453-473b-8594-95db0f41877d/3c9242b8-2394-48c1-9643-618ca38eb13d for which you'll also need these dozen parameters and custom headers for, which there is no public documentation for

Whoo whoo, go easy on the straw man, man.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: