Jan 24, 2024 16:00:00

Courts impose fines on researchers who uncover corporate security issues, potentially hindering useful research and putting users at risk

Security researchers are doing a lot of research and testing to find vulnerabilities in software and web services that are already deployed. However, it has emerged that a German court has fined an IT consultant who investigated software and discovered vulnerabilities on behalf of a client.

Heise online

https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

IT consultant in Germany refined for exposing shoddy security • The Register
https://www.theregister.com/2024/01/19/germany_fine_security/

Ethical Hacking on Trial: German Court Fines Security Researcher for Reporting a Company's Data Vulnerabilities - Socket
https://socket.dev/blog/ethical-hacking-on-trial-german-court-fines-security-researcher

In 2021, Hendrik H., a German IT consultant, troubleshooted an online market product management system provided by a company called Modern Solution in response to a request from a client who uses the system. At this time, he noticed that the Modern Solution code was connecting to the MariaDB database operated by the vendor.

Additionally, it was discovered that the password to access this remote server was stored in clear text in the program file, and when opened in a text editor, the unencrypted hardcoded credentials were displayed. Anyone who found the password in the program file could log in to the remote server and access not only the direct vendor's data but also the vendor's client data. Since Modern Solution's program files are available for free on the web, it was reportedly possible to easily inspect the files with a text editor to find out the database password.

Mr. H reported this issue to Modern Solution, but the response to the security report was weak and he refused to comment on the issue. Therefore, Mr. H disclosed the security vulnerability of Modern Solution to technology journalist Mark Steyer, and on June 23, an article about the possibility of a data leak was published in web media.

In his article, Steyer urged Modern Solution customers to consult an attorney and blamed the security flaw on Modern Solution's negligence. Modern Solution issued a statement (PDF file) in response to this, but later accused Mr. H of ``obtaining the password through an insider and illegally accessing password-protected data.'' In September, police raided Mr. H's home and workplace and seized his laptop, smartphone, external storage media, and other items.

Mr. H was indicted on charges of unauthorized data access, with the defense stating that ``Mr. H's actions constituted an ethical security test, conducted as part of a client-requested analysis, and will help improve the security of Modern Solution.'' The company argued that the vulnerability had been identified. However, the Julich District Court determined that ``the IT consultant's actions amount to unauthorized access to and espionage of external computer systems,'' and imposed a fine of 3,000 euros (approximately 480,000 yen) in January 2024.

'This fine order is all the more shocking because it is fundamentally wrong,' Steyer wrote in an article about

the ruling . It cannot be helped that the judge could not properly assess this, but if that were the case, he would have had to consult an expert on this point. However, that did not happen.''

This judgment is not yet legally binding, and Mr. H plans to appeal.

It has been pointed out that court-ordered fines for non-criminal security tests are at risk of hindering ethical security research and slowing corporate efforts to improve security.

Security media Socket.dev says, ``A malicious hacker could disrupt services, sell customer data, sell vulnerabilities on the black market, and do much more to Modern Solution and its reputation.'' 'It could have done a lot of damage. Instead of thanking the researcher, the company rewarded him by criminalizing the attempt that led him to protect its systems.'

In a post on Mastodon, security researcher Vladimir Palant said: 'I really hope this ruling is overturned, but this is exactly what people feared. The supposed 'protection' Whatever the flaws, the mere existence of protections turns security research into criminal hacking under German law. It allows security to be compromised, ultimately putting users at risk.'