Grey Hat Hacker

The term "grey hat" refers to a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.

The term began to be used in the late 1990s, derived from the concepts of "white hat" and "black hat" hackers.^[1] When a white hat hacker discovers a vulnerability, they willexploit it only with permission and not divulge its existence until it has been fixed, whereas the black hat will illegally exploit it and/or tell others how to do so. The grey hat will neither illegally exploit it, nor tell others how to do so.^[2]

A further difference among these types of hacker lies in their methods of discovering vulnerabilities. The white hat breaks into systems and networks at the request of their employer or with explicit permission for the purpose of determining how secure it is against hackers, whereas the black hat will break into any system or network in order to uncover sensitive information and for personal gain. The grey hat generally has the skills and intent of the white hat but will break into any system or network without permission.^[3][4]

According to one definition of a grey-hat hacker, when they discover a vulnerability, instead of telling the vendor how the exploit works, he or she may offer to repair it for a small fee. When one successfully gains illegal access to a system or network, he or she may suggest to the system administrator that one of his or her friends be hired to fix the problem; however, this practice has been declining due to the increasing willingness of businesses to prosecute. Another definition of Grey Hat maintains that Grey Hat hackers only arguably violate the law in an effort to research and improve security: legality being set according to the particular ramifications of any hacks they participate in.^[5]

In the search engine optimization (SEO) community, grey hat hackers are those who manipulate web sites' search engine rankings using improper or unethical means but that are not considered search engine spam.^[6] This search engine optimization strategy is the most effective and suitable for almost all types of websites, which can bring good results without any harm. Though Gray Hat SEO techniques are less effective than White Hat SEO, but can reduce the chances of penalization by any algorithm update to an extend, which are mostly in Black hat.

In April 2000, hackers known as "{}" and "Hardbeat" gained unauthorized access to Apache.org.^[15] They chose to alert Apache crew of the problems rather than try to damage the Apache.org servers.^[16]

In June 2010, a group of computer experts known as Goatse Security exposed a flaw in AT&T security which allowed the e-mail addresses of iPad users to be revealed.^[17] The group revealed the security flaw to the media soon after notifying AT&T. Since then, the FBI opened an investigation into the incident and raided the house of weev, the group's most prominent member.^[18]

In April 2011, a group of experts discovered that the Apple iPhone and 3G iPads were "logging where the user visits". Apple released a statement saying that the iPad and iPhone were only logging the towers that the phone could access.^[19] There have been numerous articles on the matter and it has been viewed as a minor security issue. This instance would be classified as "grey hat" because although the experts could have used this for malicious intent, the issue was reported.^[20]

In August 2013 Khalil Shreateh, an unemployed computer security researcher, hacked the Facebook page of Mark Zuckerberg, Facebook’s CEO, in order to force action to correct a bug he discovered which allowed him to post to any user’s page without their consent. He had tried repeatedly to inform Facebook of this bug only to be told by Facebook that the issue was not a bug. After this incident, Facebook corrected this vulnerability which could have been a powerful weapon in the hands of professional spammers. Shreateh was not compensated by Facebook’s White Hat program because he violated their policies making this a grey hat incident.