Being asked to hack on an interview?

Being asked to hack on an interview?
0

#1

I’m getting a little frustrated with my latest interview/coding challenge. They want me to build a backend for an interface and if I have time add a frontend. OK, no problem. Oh, wait, one problem. The problem is before I even begin I have to crack a private API of another company. Not to do anything malicious, but to build an alternate interface to an existing account.

This just seems bizarre to me. The job has nothing to do with hacking or cracking APIs. Is this a typical job requirement? I’m not sure how I feel about this, morally. I know hacking is considered cool now, but I’ve always been one to respect other people’s property and using someone’s server (especially at a for profit company) in a way that they didn’t intend – it leaves me with a bad taste in my mouth.

I’ve never even considered learning to hack as a career move. Maybe it’s good to understand it a little at least for understanding security better.

So, I’m struggling with the challenge. I set up some MITM software and I’ve figured out a few API endpoints. I just can’t figure out how to keep myself logged in while I call other endpoints. It’s easy to do if I’m building this – I just don’t know how to figure out how to do it if I’m hacking into something.

It’s too bad – the rest of the challenge seems like it would be a snap – if I could just get past the hacking step. It seems like a good company too. And it seemed like a good fit, until now. Maybe it’s for the best.

What are people’s thoughts on this? Is it common to ask people to hack something in an interview? I guess this would be grey hat hacking? I could understand if they were asking me to hack their API, but some other company’s? Is this common? Is it ethical?


#2

Oooooohhhh… maybe THAT is the test? Will you do it or not? Hack/crack the private API of another company. Maybe it’s some kind of wax-on, wax-off type of moral/character training shit.


#3

I’m not in your position, haven’t interviewed for these kinds of jobs yet, or been put in an ethical grey area by any employer before, so please accept my opinion for what it is: the musings of someone with no experience to inform their opinion.

That said, this is unethical.

If they have a business use case for reformulating the data behind a hidden API, they should pay the company for access to the data, or partner up with them.

If I did this and they still wanted me, I’d be concerned that next time they’d ask for more.


#4

That thought did cross my mind. Maybe I was supposed to just refuse on moral grounds.

But again, this is fairly benign stuff. Most people nowadays seem to have a “it’s not immoral if I can get away with it” attitude. Think of how much things have changed in the last decades, with movie and music piracy, etc. A lot of software is free and open source. I think the general attitude with a lot of young people is that everything should be free - in both the “cost” and “access” senses of he word. If you talk to a young person today, they just expect music to be free. When I was young, no one thought that. I think the attitude with gray hat hacking a web site is that “if they leave the window unlocked then it’s their fault if I go take a look around”.

Even the term “hack” - when I was young, that was a bad thing. Now everything is a hack - “Hack your metabolism!”, “15 kitchen hacks!”, “Hack your relationship!”… It’s been so normalized. When I was growing up, a hacker was a criminal, period. There were no gray hat hackers, let alone white hat. “Hack” used to be a very bad word, either meaning a criminal, or someone doing a very messy job of something.

I’m assuming that these guys are sincere. They just don’t see anything wrong with this kind of stuff. But it makes me uncomfortable. If I were doing anything even remotely destructive, I would have said no, but this is just reading data from my own account. But it still feels wrong - I know I wouldn’t want people messing around in my servers in unauthorized ways. Plus, I have no idea what I’m doing.


#5

This is not related to their business in any way. I think the guy just thought it was an interesting challenge. I know some people enjoy hacking private APIs for sport (been reading some blog posts), maybe he’s into it for fun. But there is no connection between the API they have me hacking and what their business is.


#6

I dunno - cracking private data for shits and giggles still sounds iffy to me.

Don’t get me wrong, I have tinkered with a few sources of data I didn’t strictly have legit access to, but that wasn’t at the behest of a potential future employer.


#7

Just read this bit.

If this is YOUR data, then I have a 180° flip of opinion for you! If it’s about you, as far as I’m concerned, you can physically break into a bank vault to obtain it :wink:


#8

You see, but to extend your metaphor, I can’t break into a bank, even if it’s only my money I’m taking.

For me there are two issues - who owns the data an on whose property it resides. Yes, it’s my data (at least as I understood the challenge) but it is still on someone else’s server. Maybe I’m old fashioned, but I still have an idea of property rights. If I borrow my neighbors vacuum, do they have the right to break into my home at 2am to get it back?

Again, maybe I’m old fashioned. I think people should get to determine how their own servers are accessed. They’ve clearly gone to a lot of trouble to make it difficult for me to access.


#9

Keeping morality aside, EVERY software provider who exposes rest endpoints KNOWS that the API can be accesses by anyone. They guard their data with that threat in mind. Those who are concerned about exposibility of REST opt for server side rendering.

What I think is more important here is that whether YOU know how to watch and manipulate rest endpoints.
In order for you to do this, you must have strong understanding of REST and without that you can’t solve not so straightforward challenges. Thus, hacking.

Copying headers from a successful request enables you to access the same end point with your request. That is what I think they’re testing for, whether or not you understand REST and HTTP.

By all means, if the job description asks you to do anything that violates your moral integrity, just leave the offer.
That being said, understanding of REST and HTTP is vital and with that knowledge you can potentially steal the private data, (if at all you care about that shit)


#10

You’re conflating several different meanings of the term. See https://en.m.wikipedia.org/wiki/Hacker_culture

it was not until the 1960s that the term hackers began to be used to describe proficient computer programmers.

So it’s been used in that more general sense at least as far back as it was used to mean specifically black-hat security hackers.


#11

Perhaps. I was mainly into coding in the 1990s. Back then I always heard “hacker” used to mean someone doing something wrong. Later on in that article (especially in the “programming” section) it mentions some of the negative connotations with which I’m familiar.

I think it’s also an important to distinguish how hackers see themselves, how the programming world sees them, and how the general public sees them. I know that hackers like to see themselves as rakish pirates. Similarly, everyone I’ve ever met that pirates music, software, etc thinks of themselves as some iconoclast, fighting corporate greed, fighting for freedom

But you’re right, there is a difference between a hacker that is trying to make something work in a different and new way and a hacker that is trying to break into something. In my brief stint as a programmer, I was kind of on the periphery of the coding world and I think I was thinking of the general public perception. In the 1990s, if you said “hacker”, you imagined a guy in a basement somewhere trying to break into a bank’s database. I don’t ever remember it having a positive connotation. Maybe I’m too fixated on that image.


#12

Well, the bank vault idea is admittedly a little too much exaggeration to be useful…

I guess you have to reconcile how serious the private property aspect is.

I think if they’ve made reasonable attempts to secure the API and you’re doing something akin to lockpicking to get in, then you’re on the dodgier side of things. If there’s not much of a barrier, then go ahead.

My neighbour breaking in to take the lawnmower back: bad.

A neighbourhood kid kicking a ball over my fence and noticing my gate is unlocked, decides to pop in and out to retrieve it real quick: no big deal. As long as he doesn’t trample my geraniums.

My frisbee lands on a small, knee high fenced off area of grass that includes a “keep off the grass” sign…I’m getting my frisbee back :slight_smile:


#13

A short history of the word hack: https://www.newyorker.com/tech/elements/a-short-history-of-hack

tl;dr - it wasn’t originally a bad thing at all.

It seems in the case at hand, you have credentials to the service and the goal is to ‘reverse engineer’ the front end client to hit the same endpoints without seeming suspicious to their servers. Is that about it? Can you tell us which service it is?

Originally, I thought you were being asked to break the law by gaining access to a private network but this seems much more benign.


#14

You should have told them them you hacked their website and invited yourself for an interview


#15

I think they were asking you to figure out their private API and make a new account interface. It’s not hacking as in breaking into a computer system but as in putting something together quickly. I’m not sure how your interview went, however if you come across this again chrome’s developer console is great for watching API calls while developing the new interface.


#16

Pleas don’t take this as an insult or anything, but are you sure that what they want you to do is to break the security of another application? Are you supposed to gain access to data that you don’t have credentials for or bypass credentials altogether? Or are they asking you to interface with an application via an API instead of through the web UI? If the goal is just do perform authorized operations via a terminal or script, then it’s an odd (in my experience) interview technique, but I wouldn’t be stressed about the legality or morality about it.


#17

That’s the exact perspective I’m thinking of. I really hope the author of this thread had a successful interview and is able to get the job they applied for.


#18

Absolutely man. Ask everything Ariel just said and even email the targeted API’s support. I hate to say it, but it sounds like a scam to me that they gonna take your finished backend code and walk away. Have you ever met them face to face? Not trying to discourage anything or anyone, but just keep that in mind.


#19

For all we know the company may have a partnership with whatever API you were asked to hack/reverse-engineer. Most companies won’t use interviews as a place to commit crimes. It’d be bad for business.


#20

They should probably have that partnership as a disclaimer, then.