PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time
In the cybersecurity field, we talk a lot about threat actors and vulnerable code, but what doesn’t get discussed enough is intentional vulnerabilities and becoming your own threat actor. Even when making decisions with the best of intentions, it is possible to work against your own best interests. One area we see this in comes from website developers trying to safeguard their work. It can be tempting to incorporate code that gives the developer access to the site files, also known as a backdoor, in the event that the client chooses not to pay, so that the developer can remove their code or otherwise damage the site.
While implementing a backdoor may seem like a viable solution to protect your resource investment, it comes with potential ethical and legal problems, in addition to the added security risks of a backdoor hardcoded into the website. There are always better options available, even if they are less convenient for the client and developer. When developing a website, the developer should keep in mind that their needs are just as important as the client’s. Keeping this in mind will help to prevent the situations that may lead to the implementation of a backdoor on the website.
One of the biggest reasons a web developer may be tempted to include a hardcoded backdoor is to ensure their work is not used without payment. A common practice among website developers is to require 50% of the development fee up front, with the remaining sum paid upon delivery of the completed project. Especially among freelance developers, it is not uncommon to begin development even before the initial fees are paid, and even provide the final code before the final payment is received. The fear of a client not making a payment may cause a developer to believe that it is a good idea to hard code a backdoor into the project, so that the developer can remove their code or take down the site entirely as a form of retaliation.
What should be obvious is that intentionally damaging a website is a violation of laws in many countries, and could lead to fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines illegal use of computer systems. According to 18 U.S.C. § 1030 (e)(8), simply accessing computer systems in a way that uses higher privileges or access levels than permitted is a violation of the law. Further, intentionally damaging the system or data is also a crime. The penalty for violating the CFAA can include sentences 10 years or more in prison, in addition to large financial penalties.
Let’s say a developer uses a backdoor on a website they worked on simply to access the files in an unapproved manner. Even if they do not cause any damage to the system or files, the developer could face fines of $5,000 and up to five years in prison. Use of the backdoor to take the site down or otherwise damage the files or system, might lead to even more jail time and even larger fines. It could be argued that these penalties are excessive, but it’s also important to remember that they are intended as deterrents since most threat actors are never caught.
As it stands, however, freelance developers trying to protect their work are much more likely to be caught and prosecuted than scammers in countries without an extradition arrangement. An unscrupulous client who is familiar with the law could also use the threat of prosecution to extort further unpaid labor from a freelance developer who backdoored their site.
Even beyond potential legal ramifications, these practices can lead to negative word-of-mouth, which can damage the reputation of the developer. Even if the developer is able to avoid legal issues from these actions, being perceived as unethical can negatively impact future profits, and even cause a business to fail.
Another consideration is the fact that a backdoor adds a potential vulnerability to the client’s website. If the developer is able to access the site through illegitimate means, then a potential attacker may be able to use the same method to access the site’s files. Security should always be a consideration when developing a website or one of its features. Implementing insecure code can lead to similar consequences as intentionally damaging a website.
Rather than adding a backdoor into a client’s website, it is better to set clear expectations with a client regarding deliverables, and how they will be impacted by late or missing payments. It is crucial to use written contracts to specify these expectations. If possible, start with a standard written contract that all clients are required to sign and have an attorney review it for potential issues.
If there is an agreement in place that outlines the fact that no code will be provided without full payment, then the developer is under no obligation to implement the code on the production server until they have been fully paid. A development server under the developer’s control should always be used, and once agreements have been met, the code can be moved from the development server to the client’s production server.
Note: This is not intended as legal advice and we recommend familiarizing yourself with all applicable laws and consulting with a licensed legal professional in your area.
This article was written by Topher Tebow, a former Wordfence Threat Researcher.
That's why you develop site in a staging area, over which you have control. Upon final payment, launch the site on the client's url.
How can we know if there is a backdoor on our website?
If the backdoor is not being actively used, a code review is the best method of identifying it. If the backdoor is being used, the WAF logs or other server logs are useful in identifying the presence of a backdoor.