Wladimir PalantJan 18, 2024

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

Gericht sieht Nutzung von Klartext-Passwörtern als Hacken an

Der Programmierer, der eine gravierende Lücke in der Software der Firma Modern Solution aufgedeckt hat, fällt unter den Hackerparagrafen, meint das Gericht.

heise online
Show threadEmelia 👸🏻Jan 18, 2024
@WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.
Show threadWladimir PalantJan 18, 2024

@thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example.

Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”

Show threadEmelia 👸🏻Jan 18, 2024
@WPalant in this case it just sounds like he used the key to open the front door, saw an absolute mess & notified the company of the issue
Show threadBartoszJan 18, 2024
@thisismissem @WPalant this seems to omit the other side of the story. If I understand this correctly, vendor software was making undocumented calls to outside infrastructure and sharing potentially sensitive data. It should be in company's right to check the level of exposure to properly protect their and their customers' rights.
Show threadRiley S. Faelan

@RakowskiBartosz

Surely you forgot to add a sarcasm tag.

The vendor is almost certainly out of GDPR compliance.

@thisismissem @WPalant

Jan 18, 2024 at 11:19pmWeb
Show threadBecca 🌳🚀🛀Sep 26, 2025
@riley
No they only host the software their clients are in breach of gdpr and need to handle the mess.
I wonder how many of their customers sued then.
@RakowskiBartosz @thisismissem @WPalant
Show threadWladimir PalantSep 26, 2025

@rlcw Doubtful. If they have a signed data processing agreement then the software vendor is likely in violation of this agreement, making them the guilty party under the GDPR. And if there is no data processing agreement because the clients aren’t aware of data processing taking place then the vendor is also liable. The clients are only liable if they were handling personal data and knew that the software would store it elsewhere, yet failed to acquire a data processing agreement.

Either way, I can answer your question: zero. GDPR enforcement is spotty to say the least. It doesn’t happen even in far more obvious cases.

@riley @RakowskiBartosz @thisismissem