A Criminal Vulnerability Disclosure
The story of German hacker Lilith Wittmann who ran into trouble with the law after finding a security vulnerability.
Infosec is a complicated field. While we as a field deal with technology mostly, some, if not most of us also deal with legal questions, bureaucracy and more relatively annoying problems. Here in particular, I want to share my hands on experience and other fairly recent cases of infosec trouble in Germany as a whole.
It was late in the evening, I was just browsing the web, reading the local news and I most likely raised an eyebrow. A hacker known as Lilith Wittmann, who found a security vulnerability in an app used by the CDU (political party here in Germany), got a criminal charge from the CDU. While I thought it was hilarious, it was also kinda sad to see this still happening.
While I'm confident, that Lilith Wittmann is a very intelligent and wise hacker, the security vulnerability she found in the app of the CDU wasn't very complex or any of that, it was simply a gigantic fail for the CDU. Later in court this also aided Lilith's case, since the confident data which she had access too wasn't protected at all, or at least not well enough for the value of such data. There's obviously way more to this, than what I'm writing here, but the case has been covered in many other news outlets, so I'm just breaking down what you need for this article.
Curiosity Killed The Infosec Researcher
Since I've known Lilith for quite some time (even if not that personally and just under my Twitter handle) the newspaper articles sparked a great interest in me. Therefore I decided to see, if I could find any security vulnerability from my local division of the CDU. That was also the start of my personal drama.
Long story short, after digging through all the stuff I could in about 30 minutes I found the first problem. My city had (and still has as far as I know) an online whiteboard, which shows the short, mid-long and long term measures they want to take, to improve living in the city etc.
While it was pretty interesting to find this, it was also kinda disturbing. After all, it only took me around 15-20 minutes to find this. What was even more disturbing though, is the fact that anybody theoretically could've edited the whiteboard, because there weren't any protection measures in place.
So as someone that supports the concept of responsible disclosure, I sent them an E-Mail. Then I waited and waited. 1 week, 2 weeks, a month etc. Apparently they didn't read the E-Mail, so I tried to contact them on Twitter, via Whatsapp and even went as far to contact the national CERT.
What was even sadder, than not getting an E-Mail back was the fact, that they read my message on Whatsapp and didn't write back. Only somebody from the CERT-Bund got back to me and offered to formally contact the CDU. At this point though I didn't want to find out what would happen, if I were to put serious pressure on such an enormous entity, so I happily declined. Just in case, yes I'm aware that you can contact somebody anonymously through the form the CERT-Bund provides, but the CDU could've probably figured out pretty easily who submitted the vulnerability, so I didn't want to risk anything.
Long story short
That is a little sneak peek from my side of things, as somebody who considers themselves enthusiastic about infosec. What is your take away from all this? Well, that the CDU is apparently incompetent concerning technology, they're pretty incompetent concerning the topic of responsible disclosure and that there should be more legal protections for infosec researchers who just do their job and shouldn't have to constantly worry about landing in court.