The specialist fell into the trap of Modern Solution and became a scapegoat.
In Germany, an IT consultant was fined €3,000 for detecting and reporting a vulnerability in an online store's database that exposed data from nearly 700,000 customers.
In June 2021, a specialist known as Hendrik H., working on troubleshooting software for a client of the IT company Modern Solution GmbH, discovered that the Modern Solution code uses a MySQL connection to the MariaDB database server. The password for accessing the server was saved in clear text in an executable file MSConnect.exe which allowed any user to use a simple text editor to see unencrypted credentials.
The password gave access to all the information of about 700,000 customers of various online stores. Customers made purchases from small vendors that use Modern Solution software to work on large online platforms, such as Otto, Kaufland, or Check24. Modern Solution's program files were freely available on the Internet, which allowed anyone to find passwords to databases in the source codes.
Extracting data about end-users of retailers
Modern Solution released a statement saying that there was a vulnerability in their system that allowed access to the database and unencrypted passwords and personal data. According to the company, sensitive data of Modern Solution customers was disclosed: surnames, first names, email addresses, phone numbers, bank details, passwords, as well as the history of correspondence and calls. It also indicates that a limited amount of data was disclosed – names and addresses – of customers who made purchases from retail clients of the company.
In September 2021, the German police confiscated the computers of an IT consultant after a complaint from Modern Solution. High-ranking employees of the company claimed that the programmer previously worked for JTL, a company that produces systems with which the Modern Solution software interacts. The relationship with JTL was terminated due to conflicts. Representatives of Modern Solution told the police that access to passwords was obtained thanks to knowledge gained in JTL.
Hendrik H. was charged with illegal access to data under article 202a of the German Criminal Code, based on the rule that the study of password-protected data can be classified as a crime.
In June 2023, the district court sided with the IT consultant, because the Modern Solution software was not sufficiently protected. However, the Court of Appeal sent the case for a new hearing. On January 17, the district court fined Hendrik H. and ordered him to pay the legal fees. The programmer stated that his goal was to protect customers. The verdict is not yet legally binding, as both sides have a week to appeal, which is what Hendrik X intends to do.
Mark Steyer, a blogger and ecommerce specialist who released information about the vulnerability, called the court's decision "shocking" because a password stored almost in clear text cannot be considered a "special security feature". He noted that in this case, an expert should have been involved, but this did not happen. Steyer also said that Modern Solution downplayed the scale of the data leak.
Security researcher Vladimir Palant expressed dissatisfaction with the court's decision, noting that such a decision poses a threat to legitimate research activities, allowing companies to evade ensuring adequate security and ultimately putting users at risk.
In Germany, an IT consultant was fined €3,000 for detecting and reporting a vulnerability in an online store's database that exposed data from nearly 700,000 customers.
In June 2021, a specialist known as Hendrik H., working on troubleshooting software for a client of the IT company Modern Solution GmbH, discovered that the Modern Solution code uses a MySQL connection to the MariaDB database server. The password for accessing the server was saved in clear text in an executable file MSConnect.exe which allowed any user to use a simple text editor to see unencrypted credentials.
The password gave access to all the information of about 700,000 customers of various online stores. Customers made purchases from small vendors that use Modern Solution software to work on large online platforms, such as Otto, Kaufland, or Check24. Modern Solution's program files were freely available on the Internet, which allowed anyone to find passwords to databases in the source codes.
Extracting data about end-users of retailers
Modern Solution released a statement saying that there was a vulnerability in their system that allowed access to the database and unencrypted passwords and personal data. According to the company, sensitive data of Modern Solution customers was disclosed: surnames, first names, email addresses, phone numbers, bank details, passwords, as well as the history of correspondence and calls. It also indicates that a limited amount of data was disclosed – names and addresses – of customers who made purchases from retail clients of the company.
In September 2021, the German police confiscated the computers of an IT consultant after a complaint from Modern Solution. High-ranking employees of the company claimed that the programmer previously worked for JTL, a company that produces systems with which the Modern Solution software interacts. The relationship with JTL was terminated due to conflicts. Representatives of Modern Solution told the police that access to passwords was obtained thanks to knowledge gained in JTL.
Hendrik H. was charged with illegal access to data under article 202a of the German Criminal Code, based on the rule that the study of password-protected data can be classified as a crime.
In June 2023, the district court sided with the IT consultant, because the Modern Solution software was not sufficiently protected. However, the Court of Appeal sent the case for a new hearing. On January 17, the district court fined Hendrik H. and ordered him to pay the legal fees. The programmer stated that his goal was to protect customers. The verdict is not yet legally binding, as both sides have a week to appeal, which is what Hendrik X intends to do.
Mark Steyer, a blogger and ecommerce specialist who released information about the vulnerability, called the court's decision "shocking" because a password stored almost in clear text cannot be considered a "special security feature". He noted that in this case, an expert should have been involved, but this did not happen. Steyer also said that Modern Solution downplayed the scale of the data leak.
Security researcher Vladimir Palant expressed dissatisfaction with the court's decision, noting that such a decision poses a threat to legitimate research activities, allowing companies to evade ensuring adequate security and ultimately putting users at risk.
