Yellow FlagJan 18, 2024

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Show threadEmelia 👸🏻Jan 18, 2024
@WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.
Show threadYellow FlagJan 18, 2024

@thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example.

Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”

Show threadTamas K Lengyel
@WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides.
Jan 18, 2024 at 1:22pmWeb
Show threadYellow FlagJan 18, 2024
@tklengyel @thisismissem Where did you read that he dumped the database? My understanding is that he connected to the database in the assumption that it was specific to his client, then disconnected and reported the issue immediately after realizing that it contained data on other customers as well.
Show threadTamas K LengyelJan 18, 2024
@WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call.
Show threadBeady Belle FanchannelJan 19, 2024
@tklengyel @WPalant @thisismissem Just connect to it with a GUI tool like dbeaver (like devs are likely to do), it will show you the schema of tables.
There will be columns like “clientName” or similar, and then doing a few very simple selects will tell you whether you have access to other people’s data.
Show threadBeady Belle FanchannelJan 19, 2024
@tklengyel @WPalant @thisismissem Mixing customer data like that and giving full access to the database with the given user credentials is criminal neglect and should cost the company dearly. Not the person who figured it out.
Show threadYellow FlagJan 19, 2024
@Profpatsch @tklengyel @thisismissem According to https://nitter.net/der_sofc/status/1747644600469127386 he connected with phpMyAdmin. While I haven’t used that tool in decades, that would presumably also expose the database schema immediately.