Modern Solution: Court of Appeal confirms guilt of security researcher
On appeal by the programmer who uncovered a security vulnerability in software from Modern Solution, the regional court confirmed the penalty order.
(Image: Maksim Kabakou/Shutterstock.com)
On Monday, the Regional Court of Aachen dismissed the appeal of the programmer who was charged and subsequently convicted by software provider "Modern Solution" as unfounded. The judgment of the lower court thus stands. However, the verdict is not yet legally binding and the defense informed heise online that it intends to appeal (LG Aachen Az 74 NBs 34/24).
In January, the programmer was sentenced to a fine of 3,000 euros by the JĂĽlich district court because he was found guilty of unauthorized access to third-party computer systems and spying on data following the disclosure of a security vulnerability (AG JĂĽlich Az 17 Cs 55/23). Modern Solution had reported the expert instead of rewarding him for finding the security vulnerability.
House search after disclosure
The freelance IT service provider accused in this case had examined the software of the Gladbeck-based company Modern Solution for a customer in June 2021 due to a database error. In the process, he discovered a serious security vulnerability that allowed access to the personal data of almost 700,000 online store customers. The programmer published the existence of the security vulnerability after it had been fixed by the company with the help of a relevant blog in the e-commerce industry. A few months later, the police searched his business premises and confiscated his work materials.
The JĂĽlich district court initially dismissed the case in 2023. In the appeal lodged by the Cologne public prosecutor's office, the Aachen Regional Court ruled that the judges in JĂĽlich would have to retry the case. At the trial earlier this year, the public prosecutor's office wanted to prove that the defendant had used a decompiler to extract a password from the Modern Solution software.
The defendant had established that his customer's problems were because the software established an internet connection to a database on Modern Solution's servers. He had used the password stored in the software's source code to view this database, as it had "cluttered the software with log messages".
The actual executable file, which according to the defendant contained the password in plain text, was not examined during the trial in JĂĽlich. The law enforcement authorities do not appear to have done so in advance, either. heise online was able to confirm in June 2021 through its own investigations that the password was present in plain text in the file.
In the appeal proceedings on Monday, Aachen Regional Court adopted the assessment of JĂĽlich District Court that access to the secured database constituted a criminal offense. Trial observers from the Chaos Computer Club reported that the court did not care how the defendant had obtained the password. The password was not easy to guess or publicly known, making access a criminal offense.
In the trial, the small criminal chamber emphasized that the defendant could have avoided criminal liability if he had terminated the access the moment he realized that he could access the data of customers that he should not have seen. The fact that he had documented this data with screenshots, which was undisputed at the trial, sealed his criminal liability.
Videos by heise
Crucial point: screenshots
According to several trial observers with whom heise online spoke after the trial and some of whose notes we have, these screenshots were the linchpin of the trial. The court used them to establish that the defendant had undoubtedly accessed the data and should also have known that he was guilty of the "hacker offense" 202a StGB. How the accused obtained the password was apparently irrelevant.
The verdict is not yet final and the defense has announced its intention to appeal. This has been permitted by the Aachen Regional Court and will probably be heard by the Higher Regional Court in Cologne. On appeal, however, the findings made by the lower courts will only be reviewed to a very limited extent and there will be no new hearing of evidence. The main issue will be whether the verdict was reached in accordance with procedural law.
(dmk)
