[BreachExchange] Data leak at Modern Solution: House search instead of bug bounty

Thu Oct 21 08:55:05 EDT 2021

https://marketresearchtelecast.com/data-leak-at-modern-solution-house-search-instead-of-bug-bounty/182043/

After an independent programmer published a data leak at a service provider
for online trading, he received a visit from the police. On September 15,
his apartment in North Rhine-Westphalia was searched and all his work
materials were confiscated. The affected company Modern Solution, which
according to current knowledge must at least be accused of gross
negligence, is blocking and does not want to comment on heise Security.

Modern Solution offers retailers of all kinds to connect their merchandise
management systems to the online marketplaces of large companies such as
Otto, Kaufland and Check24 so that they can offer their goods there. As a
rule, such a connection takes place via local software, which connects to
the merchant’s merchandise management system and exchanges information with
the servers of the marketplace. Normally this should be done via
access-protected APIs.

Not that modern solution
In June, the IT expert, whose identity heise Security is known, discovered
while troubleshooting for a Modern Solution customer that this data
exchange at Modern Solution was via a plain text SQL connection and that
the access data was fixed in the software were anchored. As a result, the
data of more than 700,000 end customers could be viewed openly on the
Internet – and apparently for a long time.

The blogger Mark Steier, well-known in the e-commerce community, advised
the programmer to first report his find to the company. The following
morning, the expert reported the vulnerability to Modern Solution with a
period of three days to fix the security problem. In an interview with
heise Security, the programmer said that he was rejected quite abruptly:
Modern Solution denied that there was a loophole.

After the service provider had taken the vulnerable systems offline,
however, he decided to make the incident public and turned to Steier again.
Modern Solution denied that there was a security gap in their own systems.
Both report, however, that the company had apparently taken the affected
server offline.

Now that the vulnerability was eliminated, programmers and bloggers decided
to quickly inform the public. Steier once again asked Modern Solution for a
statement, was rejected, and then published a detailed blog post. This
article went online on June 23, the same day the programmer informed Modern
Solution and Steier.

Inept disclosure
The speed of publication is debatable. The IT expert and blogger Steier
went public on the same day that they reported the data leak and gap to the
manufacturer and the responsible data protection authorities. Experienced
security researchers and journalists usually give companies more time to
comment on the matter. However, if Modern Solution rejected both of them as
abruptly as the programmer reported to heise Security on record, it can be
assumed that no constructive cooperation was desired.

As clumsy as the timing of the two may seem, technically they have complied
with the basic rule of Responsible Disclosure: the gap had apparently
already been closed by the time they informed the public. And with over
700,000 end customers affected, there is no doubt that a public interest in
the case could be assumed. In a Statement to Steier refers to Modern
Solution the programmer as an “ethical hacker” – in quotes.

House search as a thank you
But instead of thanking you for discovering a potentially catastrophic data
leak for 700,000 end customers, the programmer gets into real trouble with
the authorities. On September 15, a search squad from Criminal
Investigation Department 22 of the Aachen police force stood in front of
the door. According to the programmer, the officers pretended to be parcel
deliverers, gained access to the apartment and pressed him against the
wall. The police confiscated a PC, five laptops, a mobile phone and five
external storage media – the programmer’s entire work tool.

According to the search protocol that heise Security has, the IT expert is
accused of “spying on data” – a reference to the so-called hacker paragraph
202a of the German Criminal Code. We do not know who made the complaint.
The Aachen police referred to the Cologne public prosecutor’s office, which
had arranged the search and seizure. The public prosecutor’s office
confirms our information on the facts and the search. The judicial
authority said on request that the seized data carriers are still being
evaluated.

The authorities do not answer why the programmer’s apartment had to be
searched for traces in September when the facts and the security gap had
been publicly well documented since June. Modern Solution itself apparently
does not want to comment on the situation at all to heise Security: A
corresponding request went completely unanswered. Only the programmer and
blogger Steier were willing to talk to us constructively.

Parallels to the CDUconnect disaster
The case is reminiscent of similar events in August, when criminal
proceedings were initiated against the programmer Lilith Wittmann for
having made glaring security holes in the CDUconnect software public. The
CDU withdrew its complaint after there had been a lot of political pressure
in this direction and the proceedings were finally discontinued because the
hacker paragraph was not applicable in this case.

The reason for this was stated in the Berlin public prosecutor’s office at
the time: “The data was therefore not protected from unauthorized access
and, from a technical point of view, was publicly available.” The Cologne
colleagues should read this carefully.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211021/fa0c8afa/attachment.html>