A case of deja vu? A German court accused a programmer of hacking and fined him 3,000 euros for unauthorized access to external computer systems and data spying. According to information released by Heise, the programmer is a freelance IT service provider (freelancer). He was initially tasked by a customer to solve the problem of too many logs generated by the product management software used by the customer.
After receiving the task, the programmer checked the software and found that it had established a MySQL connection with the remote server of Modern Solution GmbH, a management software provider. So the programmer connected to the remote database for analysis and found that the database contained data on nearly 700,000 Modern Solution customers.
After becoming aware of a security issue with the software provider, the programmer disconnected from the database and later contacted ModernSolution through other channels to report the problem.
For this reason, ModernSolution immediately took all servers offline for repairs on the day it was notified. However, the company firmly denied that there were security issues in its system, and this upright programmer directly released public information saying that ModernSolution had security issues.
The software vendor later called police claiming that the programmer had unauthorized access to the exposed data and its database server.
Also use clear text to store the password:
Judging from the description of the programmer who was sued, Modern Solution is a very weak software supplier. Why do you say that? Because this company hard-coded the database connection password in clear text in an executable file.
What’s even more frightening is that the data of hundreds of thousands of their customers are all stored in the same database server, using the same account number and password, and this executable file containing the clear text password is included in the management software they provide to customers.
In other words, as long as the software's files are analyzed, it is easy to obtain the password and connect to their database.
Fined 3,000 euros by the court:
Regarding this matter, it is easy to see that ModernSolution called the police purely because the programmer disclosed their security problem, because they have always denied that there was a problem and were not prepared to call the police at first until it was publicly disclosed.
The prosecutors prosecuted in accordance with traditional German law, namely Section 202c of the German Criminal Code, also known as the hacking clause, which makes unauthorized access to password-protected data a criminal offence.
For this reason, the German district court took into account that the programmer had no other previous criminal records and therefore fined him 3,000 euros. This sentence was much lower than the penalty requested by the German prosecutors.
appeal:
Lawyers representing him said he acted in the public interest and responsibly informed the software vendor of the security vulnerability, but said the court's view of the matter was seriously outdated.
After all, although he accessed the data, he discovered it accidentally. Secondly, he disclosed the vulnerability for the public interest. Thirdly, he did not leak any data, so he should not be sentenced/fined from any perspective.
The programmer has now filed an appeal, which will be heard by Germany's Higher Regional Court.