Around a week ago I was doing some further digging into exposed servers leaking sensitive information based off of a personal project i’ve been working on. Whilst sifting through the 1000’s of vulnerable servers and trying to identify and report the most critical I could, I stumbled across a single server that was serving up all of its data publicly on the web.
This server, an Elastic Search server, happily produced all of it’s tables with a single probing query (to confirm the data pulled from third party sources). The server responded by providing me with a number of different table names, such as “Delivery, pos, receipts, online, menu”, indicating that this may be a hospitality service, possibly a restaurant or takeaway. The table name insinuated that a lot of personal information would be held, especially as the data set is over 10GB in size.
Normally when I see this sort of thing, my first thought is to try and figure out who the owner of the IP address is by checking indicators in the table names, rDNS, SSL cert details or other open ports on the server that could help identify the owner. However these checks brought up no information and gave me no way to report this, other than to the ISP.
In the past I’ve tried reporting directly to the ISP and in the dozens of reports I’ve made, only 1 or 2 have ever followed up with a useful or non-automated response. Now, I understand that GDPR exists and these companies can’t provide me their clients details, but is it so hard to simply send my evidence to them and provide them my email? As someone who used to work for an ISP and managed both GDPR and security reports, this seems like an all round win-win situation? As a company you get to help secure your client, making them trust you and value you more as a company whilst doing zero work. Anyway, rant over.
So I’m now stuck with a decision, should I dive into this dataset that is potentially exposing huge quantities of PII to the globe in an effort to find some useful information and report it? Or do I simply let this go?
I know there are some countries that are very progressive in this nature, countries such as the Netherlands and to a degree, the United Kingdom. There are laws in-place to protect security researchers who are trying to responsibly disclose vulnerabilities as long as they’ve done so in the least invasive way possible. These are excellent laws and ultimately make everyone safer.
However, this server was based in Germany….
Now if you haven’t been keeping up on the news, you’re probably confused as to why I’m highlighting Germany, it’s a fairly progressive country that has a thriving tech sector and falls under GDPR, surely it should be fine? No, atleast not recently.
Back in 2021 a Germany IT Consultant was troubleshooting an issue with some software provided by Modern Solution GmbH and to cut a long story short, discovered a significant security vulnerability that left 700,000 customer records exposed. To cut a long story short, this individual identified an issue, confirmed that his suspicions were in fact correct and then reported it to the vendor.
And how was he rewarded you might ask? A bug bounty? Praise?
No, he was fined $3,300 for the crime of doing good.
If you’re interested in reading the full details then I suggest you check out the link here, it’s a fascinating read. With this in-mind, I posed myself the question. Is the data of hundreds, perhaps thousands of people worth me being arrested and possibly charged if I ever step foot in Germany?
No, no it’s not.
For that reason I simply left the server alone. I know that in a few weeks if this is still online the server will be wiped and a ransom note placed on it, however I’m completely powerless to do anything in the eyes of German law enforcement, therefore I won’t do anything to help them or their citizens.
This sentencing sets a dangerous precedent within Germany, criminalizing and vilifying security researchers who, for the most part, don’t do this for any financial gain. Those researchers who simply wan’t to help and report vulnerabilities, those kind souls just looking to help another person out. Sadly Germany has made doing this a punishable offense, which if goes un-challenged could cause significant damages to the country in the long run.
TL;DR Don’t report security vulnerabilities in Germany if you don’t want to be arrested.