A programmer was sentenced by a German court after finding a security bug in Modern Solution’s software.
A self-employed IT programmer who found a security bug while investigating an IT security issue in Modern Solution’s software was sentenced to 3,000 euros ($3,265 USD) by the German Court for unauthorized access to third-party computer systems and spying on data. According to the court, the programmer who discovered a serious gap in Modern Solution’s software falls under the hacker subsection.
Programmer Finds Bug In Modern Solution’s Software
A freelance IT service provider was commissioned to look at software that was installed on a customer’s server. He was hired by one of his clients to review software installed on the server of another client at the time of the crime. It was an application from Gladbeck-based Modern Solution GmbH & Co.KG, which provides services related to JTL’s merchandise management system.
The defense attorney for the programmer said that Modern Solution’s software overflowed the customer’s database with log messages. As a result, his client received an order from his customer for this problem to be resolved.
While investigating the issue, the programmer discovered that the software established a MySQL connection over the Internet to the Gladbeck company’s servers. Based on the defendant’s statement, he initially thought the software on his customer’s server connected to a Modem Solution database containing only his customer’s data. That sounded quite plausible based on the database name read out.
The defendant, however, quickly realized that this database held much more information than he initially thought. Later, it was discovered that the data contained all Modern Solution customers and details of their online shoppers. According to his statement, the defendant immediately disconnected the database connection after discovering he had access to other customers’ information.
Programmer Informs Modern Solution About the Bug; Company Reports to the Police
In collaboration with a tech blogger, the programmer contacted the affected company, which closed the security gap and reported the programmers to the Police. “An IT expert helped make company systems more secure. Instead of a reward, the police searched his house and confiscated his equipment.” as per the report by Heise.
Programmer Sentenced By German Court
The defense attorney argued that the defendant (here, the programmer) committed no crime. According to his attorney, his client had examined software that Modern Solution had made available to his customer and its associated data. As a result, he only accessed data that was intended for him. The defense attorney argued that at least the software created by Modern Solution GmbH was ultimately distributed to its customers. According to Section 202a of the Criminal Code, the court did not agree with this argument.
On the other hand, the public prosecutor’s office argued that the defendant spent a considerable portion of the evidence trying to show that he had decompiled the code of the Modern Solution software in order to obtain the password. The defendant claimed that he had only viewed the file with a text editor and thus read the database password in plain text, but the court considered this to be a criminal offense.
According to Heise’s report on the case, several issues were raised by the defendant’s attorney during the proceedings. Firstly, it was mentioned that during the taking of evidence, the court did not directly refer to the relevant file. Additionally, no effort was made to verify the defendant’s information. Furthermore, the court was unable to prove the defendant’s acquisition of the password by decompilation. However, it was disclosed that the Modern Solution software had been decompiled on the defendant’s computers. This evidence only proved that the defendant had back-translated the software after allegedly spying on the data.
At the conclusion of the trial, the presiding judge made several important statements regarding the potential violation of the law by a hacker. The judge stated that if anyone were to look at the program’s raw data and connect it to Modern Solution’s database, it would potentially violate the law (Section 202a of the Criminal Code).
Eventually, on January 17, the Jülich District Court sentenced a programmer who analyzed software for a customer and found a security hole that exposed the data of almost 700,000 buyers in online shops. The self-employed programmer defendant was sentenced to 3,000 euros ($3,265) for trying to harm Modern Solution. Modern Solution stated that the defendant had tried to harm the Gladbeck company and that professional hackers would have caused more significant damage.
The defendant’s defense attorney argued that even if the court found him guilty, he had acted in the interests of the public. The presiding judge took the position that the judiciary must work with the laws that are currently available.
Latest Update on the Case
According to Heise, in the case where a programmer was sentenced to a 3000 euro fine, the verdict is not yet legally binding, and both parties have one week to appeal the penalty decision. The case would then be reheard before a regional court. As per the latest update on the case, the accused programmer has announced their intention to appeal the verdict. This information was released on Friday through an online statement.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Join thousands of cybersecurity professionals who trust The SOC Labs Newsletter to keep them informed, prepared, and ahead of the curve.
