After an independent programmer published a data leak at a service provider for online trading, he received a visit from the police. On September 15, his apartment in North Rhine-Westphalia was searched and all his work materials were confiscated. The affected company Modern Solution, which according to current knowledge must at least be accused of gross negligence, is blocking and does not want to comment on heise Security.
Modern Solution offers retailers of all kinds to connect their merchandise management systems to the online marketplaces of large companies such as Otto, Kaufland and Check24 so that they can offer their goods there. As a rule, such a connection takes place via local software, which connects to the merchant’s merchandise management system and exchanges information with the servers of the marketplace. Normally this should be done via access-protected APIs.
Not that modern solution
In June, the IT expert, whose identity heise Security is known, discovered while troubleshooting for a Modern Solution customer that this data exchange at Modern Solution was via a plain text SQL connection and that the access data was fixed in the software were anchored. As a result, the data of more than 700,000 end customers could be viewed openly on the Internet – and apparently for a long time.
The blogger Mark Steier, well-known in the e-commerce community, advised the programmer to first report his find to the company. The following morning, the expert reported the vulnerability to Modern Solution with a period of three days to fix the security problem. In an interview with heise Security, the programmer said that he was rejected quite abruptly: Modern Solution denied that there was a loophole.
After the service provider had taken the vulnerable systems offline, however, he decided to make the incident public and turned to Steier again. Modern Solution denied that there was a security gap in their own systems. Both report, however, that the company had apparently taken the affected server offline.
Now that the vulnerability was eliminated, programmers and bloggers decided to quickly inform the public. Steier once again asked Modern Solution for a statement, was rejected, and then published a detailed blog post. This article went online on June 23, the same day the programmer informed Modern Solution and Steier.
The speed of publication is debatable. The IT expert and blogger Steier went public on the same day that they reported the data leak and gap to the manufacturer and the responsible data protection authorities. Experienced security researchers and journalists usually give companies more time to comment on the matter. However, if Modern Solution rejected both of them as abruptly as the programmer reported to heise Security on record, it can be assumed that no constructive cooperation was desired.
As clumsy as the timing of the two may seem, technically they have complied with the basic rule of Responsible Disclosure: the gap had apparently already been closed by the time they informed the public. And with over 700,000 end customers affected, there is no doubt that a public interest in the case could be assumed. In a Statement to Steier refers to Modern Solution the programmer as an “ethical hacker” – in quotes.
House search as a thank you
But instead of thanking you for discovering a potentially catastrophic data leak for 700,000 end customers, the programmer gets into real trouble with the authorities. On September 15, a search squad from Criminal Investigation Department 22 of the Aachen police force stood in front of the door. According to the programmer, the officers pretended to be parcel deliverers, gained access to the apartment and pressed him against the wall. The police confiscated a PC, five laptops, a mobile phone and five external storage media – the programmer’s entire work tool.
According to the search protocol that heise Security has, the IT expert is accused of “spying on data” – a reference to the so-called hacker paragraph 202a of the German Criminal Code. We do not know who made the complaint. The Aachen police referred to the Cologne public prosecutor’s office, which had arranged the search and seizure. The public prosecutor’s office confirms our information on the facts and the search. The judicial authority said on request that the seized data carriers are still being evaluated.
The authorities do not answer why the programmer’s apartment had to be searched for traces in September when the facts and the security gap had been publicly well documented since June. Modern Solution itself apparently does not want to comment on the situation at all to heise Security: A corresponding request went completely unanswered. Only the programmer and blogger Steier were willing to talk to us constructively.
Parallels to the CDUconnect disaster
The case is reminiscent of similar events in August, when criminal proceedings were initiated against the programmer Lilith Wittmann for having made glaring security holes in the CDUconnect software public. The CDU withdrew its complaint after there had been a lot of political pressure in this direction and the proceedings were finally discontinued because the hacker paragraph was not applicable in this case.
The reason for this was stated in the Berlin public prosecutor’s office at the time: “The data was therefore not protected from unauthorized access and, from a technical point of view, was publicly available.” The Cologne colleagues should read this carefully.