What if you pentest someone who unkowingly to you lies that they have authority?

Question

Client A signs a contract stating that he owns or is authorized to represent the owner of a Network.  He asks a penetration testing company to crack it. After they crack it, recover the pass, tell him how to make it more secure; they find out it's not actually his network and now he has the password. Who is liable?

 

The contract they signed, says , among other things:

 

The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client’s computers and/or Networks.

The client has provided the provider with certain required information regarding the scope and range of the tests and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers systems and networks described in Form A. The client further warrants and represents that he/she is authorized to enter into binding legal agreements.

 

Answer 1

Hello,

Disclaimer: I am no lawyer.

The outcome of this situation might be depending in which country things happen.

Imho if the pentesting company did everything they could to verify the (finally wrong) claims by the client (e.g. analysis of host/domainnames, whois lookup), the client might be responsible for any damage.

Regards,

Marc

Answer 2

one thing you would expect is that he gives the the password first. then they try crack it. they shouldnt be giving anyone a password if they are not 100% sure they own the system in discussion. and a signed contract doesnt prove he owns it.

so i would say if thats how pentest companies work its their fault