INTEL
DOC-ID: HD-2025-0104
HOME/Intel/HackerDefense Report: Weev – When Incrementing a URL Becomes a Federal Crime
PUBLISHED
SUBJECT BRIEFING
CLASSIFICATION:INTEL
ACTIVE

HackerDefense Report: Weev – When Incrementing a URL Becomes a Federal Crime

Andrew 'weev' Auernheimer was sentenced to 41 months in federal prison for incrementing a number in a URL. This HackerDefense Report examines how the US government criminalized basic web browsing and the chilling effect on security research.

FILED BY:HD Staff
DATE:2025-02-26
READ TIME:6 MIN
VISUAL ASSET
HackerDefense Report: Weev – When Incrementing a URL Becomes a Federal Crime
DOCUMENT BODY

How the US government criminalized basic web browsing and sent a security researcher to prison for 41 months

Executive Summary

In 2010, Andrew Auernheimer—known online as "weev"—discovered that AT&T had exposed the email addresses of over 114,000 iPad 3G owners on a publicly accessible web server. The vulnerability required no hacking tools, no password cracking, and no exploitation of any security mechanism. It required only incrementing a number in a URL.

For this discovery, weev was sentenced to 41 months in federal prison under the Computer Fraud and Abuse Act (CFAA). His case represents one of the most technically absurd prosecutions in cybersecurity history—and a chilling precedent for anyone who discovers a security vulnerability.

The Technical Facts: What Actually Happened

The AT&T Vulnerability

In June 2010, AT&T's website contained an API endpoint that returned customer email addresses when provided with an ICC-ID (a SIM card identifier). The endpoint looked something like:

https://dcp2.att.com/OEPClient/openPage?ICCID=8901410000000000001

The critical flaw: there was no authentication. Anyone who visited this URL received the associated email address. Change the number, get a different email.

What Weev and Spitler Did

Daniel Spitler wrote a script that:

  • Incremented the ICC-ID number sequentially
  • Made HTTP GET requests (the same thing your browser does)
  • Saved the returned email addresses

They collected approximately 114,000 email addresses of iPad 3G users, including government officials, military personnel, and celebrities. They then disclosed the vulnerability to Gawker Media, which published a story about AT&T's security failure.

What They Did NOT Do

  • Bypass any authentication mechanism
  • Crack any passwords
  • Exploit any buffer overflow or injection vulnerability
  • Use any hacking tools
  • Access any system they weren't permitted to access
  • Modify, delete, or damage any data

HackerDefense Assessment: The "exploit" was equivalent to changing a page number in a URL from page=1 to page=2. This is something billions of internet users do daily without realizing they're committing what prosecutors would later call "unauthorized access."

The Charges

In January 2011, weev was charged under the Computer Fraud and Abuse Act with:

  • Conspiracy to access a computer without authorization
  • Identity fraud (for possessing the email addresses)

The Trial

The prosecution's argument hinged on the claim that weev "accessed" AT&T's servers "without authorization." But this raises a fundamental question: how can accessing a public URL be unauthorized?

AT&T's servers responded to HTTP requests from any IP address. There was no login page, no terms of service click-through, no robots.txt restriction—nothing indicating the data was private. The server literally handed over the data to anyone who asked.

The Verdict

In November 2012, weev was found guilty. In March 2013, he was sentenced to 41 months in federal prison.

The judge also ordered weev to pay $73,000 in restitution—to AT&T, the company whose negligence caused the breach in the first place.

The Technical Absurdity

Why This Matters to Every Internet User

The precedent set by weev's conviction is terrifying:

  • Guessing URLs is hacking: If incrementing a number in a URL constitutes unauthorized access, then millions of people "hack" websites daily
  • No security = full protection: AT&T's complete lack of security was legally irrelevant; accessing their unprotected data was still "unauthorized"
  • Disclosure is conspiracy: Telling a journalist about a vulnerability makes you a criminal conspirator

The Browser Argument

Weev's defense team made a compelling argument: web browsers routinely make automated requests that users don't explicitly authorize. When you visit a page, your browser:

  • Fetches images from various URLs
  • Loads JavaScript from CDNs
  • Makes API calls in the background
  • Prefetches linked pages

Under the prosecution's interpretation, your browser might be committing federal crimes every time you visit a website.

Critical Point: The government's theory essentially criminalized HTTP GET requests—the most fundamental operation of the World Wide Web.

The Appeal and Reversal

In April 2014, the Third Circuit Court of Appeals vacated weev's conviction—but not on the merits of the CFAA interpretation. Instead, the court ruled that the case was tried in the wrong venue (New Jersey, where neither weev nor AT&T's servers were located).

The government chose not to retry the case, and weev was released after serving approximately 13 months.

The Hollow Victory

While weev was freed, the legal question remains unresolved. The CFAA's vague language still allows prosecutors to argue that accessing publicly available URLs without "authorization" constitutes computer fraud. No appellate court has definitively ruled that incrementing a URL is legal.

Broader Implications

The Chilling Effect on Security Research

The weev prosecution sent a clear message to security researchers: finding vulnerabilities can ruin your life. Even if you:

  • Don't damage anything
  • Don't steal money
  • Don't access truly private systems
  • Disclose responsibly to journalists

You can still face years in federal prison.

The CFAA Problem

The Computer Fraud and Abuse Act was written in 1986, when "accessing a computer without authorization" had a clearer meaning. In the era of web APIs, public endpoints, and interconnected systems, the concept of "authorization" is hopelessly muddled.

Is visiting a URL "authorized"? Is it authorized if there's no login? What if there's a login but you don't need to use it? What if the terms of service prohibit automated access but don't enforce it technically?

The CFAA provides no answers—only prosecutorial discretion.

Lessons for the Security Community

1. Documentation Matters

Weev and Spitler communicated openly about their discovery, which prosecutors used against them. In the post-weev world, researchers must assume all communications may be used in court.

2. Disclosure is Dangerous

Going to the press instead of the company may be seen as evidence of criminal intent, even if the company would have ignored a private disclosure.

3. The Law is Broken

Until the CFAA is reformed, any security research on systems you don't own carries legal risk—regardless of how trivial the "vulnerability" or how public the data.

Conclusion

Andrew Auernheimer went to prison for doing what any curious internet user might do: changing a number in a URL. AT&T's negligence exposed 114,000 customers, but it was the person who discovered the exposure—not the company that caused it—who was punished.

The weev case remains a stark warning: in the United States, the law treats security researchers as criminals, even when they cause no harm and expose genuine corporate negligence. Until the CFAA is modernized, every security professional operates under the shadow of potential prosecution.

The question isn't whether incrementing a URL should be a crime. The question is why, in 2010, the US government decided it was.

References

For more analysis of prosecutorial overreach in cybersecurity, follow HackerDefense.

METADATA
TAGS: #CyberSecurity #CyberLaw #InfoSec #PrivacyMatters
SOURCE
HD Staff
FILED BY
HD Staff

Covering the underground since 2020.

RELATED INTEL
ASSOCIATED DOCUMENTS(3)
END OF DOCUMENT │ HD-2025-0104 │ HACKERDEFENSE.ORG