Hmm, what crime would that be? He has not sabotaged anything on the vulnerable websites, he has not used it to gain access to any data, and he has not used it to impersonate or trick anyone.
I'm reading the laws now... It seems that "unauthorized access" itself, may be a crime which he has committed? Also, the laws vary by state and I'm having trouble figuring out what the federal laws are.
Obviously, he didn't commit any fraud or steal any information, and I can't imagine anyone would want to prosecute him.
edit: it looks like he's probably relatively in the clear on this? Most of the laws seem to require intent, fraud, or thievery. It's all very confusing.
edit 2: downvotes? I'm sorry for worrying that our laws and legal system sucks?
A lot would depend on how "access" is defined, I imagine.
What I did was provide input to a publicly accessible script on their server. I didn't have to "break in" to anything to do so, or to find out about it. So it'd hinge on whether or not using someone's website in a way they didn't intend you to counts as being "unauthorized access".
Possibly but I doubt it. He has only made people access their own web browsers, so while there might be a case for unauthorized access it seems very weak to me.
