Christian Democratic Union spokesperson says police report was not directed at security researcher

Dispute erupts between Chaos Computer Club and Germany's CDU after activist finds alarming data leak

The Chaos Computer Club (CCC), a Germany-based association of hackers, has announced that it will stop cooperating with the Christian Democratic Union (CDU), Germany’s ruling political party, after the latter allegedly threatened one of its activists with legal prosecution following a security bug report.

In May, security researcher Lilith Wittmann discovered security flaws in CDU Connect, the mobile application the political party used to reach voters during the federal election season.

According to Wittman’s findings, the app’s web API had a security flaw that gave unauthorized access to the personal information of 18,500 campaign workers, including email addresses and photos.

More alarming was that the addresses, dates of birth, and interests of 1,350 users were also accessible through the API.

‘Shooting the messenger’

In the spirit of responsible disclosure, Wittman did not publish her findings immediately and submitted them to CERT-Bund, Berlin’s data protection officer, and the CDU’s data protection department. The CDU shut down the app shortly after the report and notified its users of a possible data leak.

But according to a blog post on CCC’s website, “the CDU held out the prospect of legal action” when Wittman reported the vulnerability. Earlier this week, the cybersecurity police sent an email to Wittman and asked for a postal address to send legal documents.

The CCC criticized the CDU for being “extremely ungrateful” for the voluntary help and described their move as “shooting the messenger.”

A spokesperson for CCC declared that the organization would no longer be reporting vulnerabilities to CDU in light of the episode.

RECOMMENDED Researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure

On August 4, CDU managing director Stefan Hennewig confirmed that the party had reported a data breach to the police but denied accusing Wittman of stealing data.

“Our notification is NOT directed against Lilith Wittmann's Responsible Disclosure procedure. RD procedures are a great way to alert those affected to security vulnerabilities,” Hennewig wrote on Twitter. Hennewig also apologized to Wittman and said that the complaint had been revoked.

Wittman was not convinced. “It’s a total non-apology, it doesn’t stop the actual lawsuit, nobody files a lawsuit accidentally,” she told The Daily Swig.

YOU MIGHT ALSO LIKE When vulnerability disclosure goes sour: New project details legal threats and risks faced by ethical hackers