In Germany, a security researcher has been slapped with a €3,000 ($3,300, £2,600) fine for uncovering and reporting a serious vulnerability in an e-commerce database, exposing nearly 700,000 customer records.
The saga began in June 2021 when a contractor, identified as Hendrik H., was troubleshooting software for a client of IT services firm Modern Solution GmbH. While examining the Modern Solution code, he stumbled upon a concerning issue: the program file MSConnect.exe stored the MySQL connection password to a MariaDB database server in plain text. This unencrypted hardcoded credential could be easily accessed by opening the file in a basic text editor.
Armed with this password, anyone could log into the remote server and gain access to data not only for that specific customer but for all of Modern Solution's clients stored on the same database server. This data reportedly included personal information about the customers' own clients. Compounding the problem, Modern Solution's program files were freely available on the internet, allowing anyone to scrutinize the executables for plaintext hardcoded database passwords.
The contractor's findings were detailed in a report by Mark Steier on June 23, 2021. Modern Solution responded the same day, acknowledging a security vulnerability. They stated that the "ethical hacker" had alerted them, and an investigation was underway to determine the extent of the data exposure.
In September 2021, the police seized the IT consultant's computers following a complaint from Modern Solution. The company claimed he could only have obtained the password through insider knowledge since he had previously worked for a related firm, and they accused him of being a competitor.
In June 2023, a Jülich District Court sided with the IT consultant, stating that the Modern Solution software lacked sufficient protection. However, the Aachen regional court directed the district court to reconsider the complaint. On January 17, the Jülich District Court reversed its initial decision, imposing a fine on Hendrik H. and instructing him to cover court costs.
The court's decision has sparked controversy, with critics arguing that the punishment is unjust. The verdict is not yet legally binding, as both parties have a week to appeal, and the IT consultant reportedly plans to do so.
This case has raised concerns about the impact of German cybersecurity laws, potentially turning legitimate security research into a criminal act, and allowing companies to evade accountability for inadequate security measures, ultimately jeopardizing user safety.
Masterful storytelling! ✍️ Captivated from start to finish.
ReplyDelete