Published in News

Security expert fined for exposing e-commerce firm's blunder

by on23 January 2024
Security expert fined for exposing e-commerce firm's blunder


Blunder leaked 700,000 customer records, but let's not talk about that 

A German security whiz has been slapped with a $3,300 fine for finding and reporting a gaping hole in an e-commerce firm's database, spilling almost 700,000 customer records.

In June 2021, our mates at Heise revealed that a contractor named Hendrik H. was fixing some software for an IT services outfit, Modern Solution client. He discovered that the Modern Solution code connected to a MariaDB database server run by the vendor. The password to get into that remote server was stored in plain text in the program file MSConnect.exe, and anyone with a simple text editor could see the unencrypted hardcoded password.

With that easy-peasy password, anyone could log into the remote server and access data from not just that one client of Modern Solution but also data from all of the vendor's clients stored on that database server. That info included personal details of those clients' customers.

Modern Solution's program files were available on the web so anyone could check the executables in a text editor for plain-text hardcoded database passwords.

Hendrik H.'s findings were discussed in a 23 June 2021 report by Mark Steier, who writes about e-commerce. That same day, Modern Solution issued a statement admitting that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and chat and call histories. But it claims that only a bit of data -- names and addresses -- about shoppers who bought stuff from these retail clients was exposed.

Steier says that's rubbish and accused Modern Solution of playing down the seriousness of the exposed data, which he said included loads of customer data from the online shops run by Modern Solution's clients.

In September 2021, cops in Germany fingered the collar of Hendrik after a complaint from Modern Solution that said he could only have gotten the password through insider knowledge:" he worked before for a related firm -- and the biz said he was a rival.

Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that snooping on data protected by a password can be a crime under the Euro nation's cybersecurity law.

In June 2023, a Julich District Court in western Germany backed the security expert because the Modern Solution software was rubbish. However, the Aachen regional court told the district court to hear the complaint. Now, the district court has changed its mind.

On 17 January, a Julich District Court fined Hendrik H. and ordered him to pay court costs- a serious reminder that doing the right thing and pointing out security flaws in a company's software can seriously damage one's wealth.

Last modified on 23 January 2024
Rate this item
(2 votes)
More in this category: « Tech boss killed in horror plunge at India bash Broadcom’s VMware takeover proving messy »
back to top

Most popular

Latest comments