A security researcher in Germany has been fined €3,000 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records.
Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor.
It turned out the password to access that remote server was stored in plain text in the program file MSConnect.
With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server.
That info is said to have included personal details of those customers' own customers.
We're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords.
Today, June 23, 2021 at 8:09am, an 'ethical hacker' alerted us to a security vulnerability in our system.
Due to this vulnerability, it was possible to access the password to our database and access unencrypted passwords and personal data.
Using this database password, the hacker gained external access to our database and our ticketing system.
We currently do not know to what extent this data was passed on or further used by the 'ethical hacker' and whether further access occurred.
The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories.
It claims that only a limited amount of data - names and addresses - about shoppers who made purchases from these retail clients was exposed.
Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.
In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge - he worked previously for a related firm - and the biz claimed he was a competitor.
Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law.
In June, 2023, a Jülich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected.
The Aachen regional court directed the district court to hear the complaint.
Now, the district court has reversed its initial decision.
On January 17, a Jülich District Court fined Hendrik H. and directed him to pay court costs.
In a post to Mastodon, Wladimir Palant, a security researcher, software developer, and co-founder of Germany-based ad filtering biz eyeo, expressed frustration with the court's decision.
This Cyber News was published on www.theregister.com. Publication date: Sun, 21 Jan 2024 17:44:05 +0000