[China] Illegally obtaining data by Cookie attacks may lead to Crime of Illegally Obtaining Computer Information System Data

Facts:

In early May 2014, the defendant Xiuhao Weng found a vulnerability in the source code of Taobao stores, and used the vulnerability to obtain a cookie (a set of authentication information generated when a Taobao user logs in, using the cookie to perform all operations within the permissions of the corresponding account without an account or password) to illegally obtain Taobao user cookies of more than 26 million groups through the above method, and The obtained cookies were stored in the virtual queue.

Another Defendant Hourong Huang used the web crawler program prepared in advance by defendant Xiuhao Weng to read the cookies in the virtual queue and obtain Taobao users' transaction order data (the content contains user nickname, name, product price, transaction creation time, consignee's name, consignee's phone number, consignee's address, etc.) amounting to more than 100 million entries.

Rules:

Valid cookies during user login and access belong to identity authentication information protected by criminal law, and the behavior obtained by the defendant illegally is suspected of a crime. 

Crime of illegally obtaining computer information system data According to judicial interpretation, the data to be protected should be identity authentication information.

Result:

The court held that the defendants' intruding into the computer information system and obtaining the data stored, processing and transmitting in the computer information system, violated criminal law, and their acts committed the crime of illegally obtaining computer information system data. 

Defendands were sentenced to six years in prison and fined.