Post AybzLimFvpbb0o8AkK by WPalant@infosec.exchange
(DIR) More posts by WPalant@infosec.exchange
(DIR) Post #AybzLdV3YLsOe12rk8 by WPalant@infosec.exchange
2024-01-18T12:25:12Z
0 likes, 1 repeats
German law is making security research a risky business.Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html
(DIR) Post #AybzLimFvpbb0o8AkK by WPalant@infosec.exchange
2024-11-09T08:51:18Z
0 likes, 0 repeats
And the second instance confirms the ruling. 🙄 There will be more instances but this is disappointing.Apparently, the matter of the publicly available password wasn’t discussed at all. It was all about illegitimate access to data, regardless of inadequate data protection. Guilty in the sense of the law.This law was about to be adjusted, defusing it for security researchers. Unfortunately, with the German government breaking up it’s unclear whether that change can still happen. It’s pretty much a given that the next government won’t be interested in fixing this issue.Source: https://www.heise.de/news/Modern-Solution-Berufungsgericht-bestaetigt-Schuld-des-Sicherheitsforschers-10007090.html
(DIR) Post #AybzLnglffBcFEbMO0 by WPalant@infosec.exchange
2025-09-26T18:59:38Z
0 likes, 0 repeats
Unfortunately, there is no happy end to this story. Reminder: a consultant was hired to figure out an issue with an application made by Modern Solution. He found hardcoded database credentials in the application (via the advanced hacking tool called text viewer), connected to the database and realized that it stored the data of all customers – not merely that of his employer. He reported the vulnerability to Modern Solution who decided to press hacking charges against him.The German Federal Court of Justice declined to look at the case, meaning that the previous instance’s decision stands: he is guilty. As the previous instance explained, that’s because he didn’t stop when he realized that he had access to other people’s data but decided to document the extent of the issue with screenshots.Unfortunately, finding security vulnerabilities without the vendor’s consent (meaning e.g. bug bounties or being hired explicitly) is a legal minefield. That’s why I prefer looking at stuff running locally on my device, and if I ever have to hit a server I try to avoid any deviations from requests which could occur “naturally.” It doesn’t matter how harmless your request was meant be. If you hit a bug that deletes the data of a million customers: good luck proving your innocence. You can of course claim that the vendor’s bug is to blame, but the vendor can explain how this could have never happened during regular use of the system and your unauthorized penetration test is at fault.Different countries have different rules placing the boundary between “regular use” and “hacking.” German law is rather restrictive here, and without a Federal Court ruling no improvements are coming. In fact, not even staying on your hardware is sufficient to be on the safe side, in some cases you might become liable here as well (thank you, movie industry).Either way, this means that the next time you find hardcoded credentials in an application (database, Firebase, cloud storage bucket), your choices are rather limited. You can observe how the application uses these credentials, and once you have sufficient reason to suspect that these credentials allow access to more data than your own you report this bug to the vendor. Of course without any proof the vendor will downplay the issue. If you are lucky (which is unlikely) they will at least fix it.Using the credentials yourself to “look around” now definitely constitutes “hacking” under the German law – there is a password, hence there is a protection being circumvented. So getting proof and staying on the legal side isn’t possible at the same time.In the meantime people who will abuse the vulnerability can verify it in two minutes. And enjoy the vulnerability staying around for a long time, since the vendor who built this certainly won’t fix it without a nudge from outside.