Have to agree with Conor Mancone.
When I read the article, and I saw the line “ With the student body and faculty now backing me, I was comfortable finding more vulnerabilities in the system.” I was kind of shocked, because
1) not condemning the former action does not mean they support the latter actions, and
2) you knew that the school was not approving of you hunting for vulns in their system.
You simply cannot afford to be uninformed about how the laws work in your country for hacking. The university could easily(especially when you went back to find other vulns) have taken you to court and won, expelled you, and left you with a criminal record. You’re honestly lucky they didn’t; you put a lot of your future career in their hands.
As Conor said, having the ability to access information does not mean you have permission to… otherwise exploitation of vulns based around improper permission settings wouldn’t be prosecutable, which they most certainly are.
The proper way to go about this whole scenario would have been:
- identify a potentially vulnerable hidden form in the website
- approach the IT dept. admins and ask them to verify the vuln
- work with them (or not, if they don’t allow it) to verify the scope of the vuln (i.e. the SQLi)
- repeat 1–3 for any other potential vulns
Beyond that, you are not legally protected. Even a simple PoC using your friend’s info is not protected; he may not have the authority to grant you permission to know his mailbox combination.
It’s great to be passionate about security, but unless you educate yourself on laws related to what constitutes a crime and what does not, you’re putting yourself in real danger; a felony conviction for hacking will absolutely *murder* most prospective job opportunities in IT security.