Security experts reveal trivial data leaks at Legaltechs
Two legaltechs help citizens to enforce their legal claims. But some of their data was unprotected online, as hackers discovered.
Data leaks are annoying for everyone involved, but it becomes particularly sensitive when data from legal disputes is inadvertently made public.
(Image: Erstellt mit Bing Designer fĂĽr heise online / dmk)
Legaltech start-ups offer their customers legal services that are partially or fully automated and can therefore process many cases highly efficiently, for example to assert consumer rights. However, as the degree of automation of legal processes increases, so does the risk of data mishaps being delivered fully automatically. This is exactly what has happened to two companies from the legaltech sector in recent months. The Chaos Computer Club (CCC) took up the cases.
Forgotten Git directory puts data at risk
LegalTech euFlight is dedicated to consumer protection. The company wants to help passengers assert their claims due to flight cancellations or delays and buys their claims discounted (factoring). euFlight then enforces the collected passenger rights against the airlines, using legal means if necessary.
Back in September 2024, security researcher Matthias Marx discovered a .git directory on one of euFlight's backend websites that was accessible to anyone, possibly the remnants of a faulty rollout process. This directory contains internal metadata of the version control system invented by Linus Torvalds, but also the entire source code of the affected application. It contained the key to a treasure trove of data: Marx had access to data from several thousand euFlight customers and some of the company's database servers via the backend system. During his brief foray through the euFlight system, the hacker also noticed outdated password hashing procedures and inadequate authentication mechanisms. Marx, a member of the CCC, called in the club. The club in turn informed the company, which closed the worst gaps on the same day.
Lars Watermann, Managing Director of euFlight, explained to heise security how the leak occurred: When handing over to new IT managers, there had been a misconfiguration that allowed access to the .git directory. The attacked software was "legacy", i.e. part of the company's technical debt. According to Watermann, many of the points criticized by the CCC were already on the agenda. The incriminated backend had been open since July 2024, but no one had accessed the directory apart from the CCC researcher. This has long since been fixed, but the hacker's other suggestions for improvement have now also been implemented.
Matthias Marx and euFlight's management called in the relevant data protection authority, but the company did not inform its customers. This is because euFlight was probably lucky: an analysis of the log files revealed that only the security researchers had found the vulnerability and accessed the exposed data. And, as Watermann explained, no customer information was provided – after all, no data was lost.
Videos by heise
Sloppily configured web server shows itself to be open-hearted
A second data leak reported to the CCC by an anonymous security researcher is much more recent. It also concerns myRight, a LegalTech that helps its customers to assert recourse claims in many areas of life, from bicycle accidents to gambling losses.
While the security researchers at euFlight at least had to read out the PHP source code of the backend, myRight made it even easier for the curious: an incorrectly configured web server in the Amazon Web Services network offered all kinds of documents for download. Among the exposed data were documents relating to open legal disputes involving the company and its partner law firms. As security researcher Marx explained to heise security, unauthorized persons could have accessed ID documents, vehicle registration documents, lists of sports bets placed and other documents from up to 25,000 myRight customers.
myRight Managing Director Bode did not want to confirm this figure – they are still investigating which customers are potentially affected. A good week after the CCC informed the company and the responsible data protection authority on January 27, it was still unclear how long the web server had been open on the Internet.
On the same day, myRight also took the chatty web server offline. The company is now replacing it with a better-protected platform for sharing data, including two-factor authentication and a time limit. In addition, myRight is planning external pentests and security analyses, according to Bode, whose company also alerted the supervisory authority on January 30. According to Bode, there were no indications of unauthorized access, which is why customers were not informed.
Mild outcome
For both companies, the data leaks had a mild outcome – the vernacular would describe it as "more luck than sense". After all, both took the information seriously and promptly patched the vulnerable systems. And unlike the CDU or Modern Solution, for example, they did not press charges against the whistleblowers. Their actions were met with harsh criticism across the network and created a "chilling effect": security vulnerabilities often remain unreported for fear of legal reprisals against their discoverers.
Many c't investigative reports are only possible thanks to anonymous information from whistleblowers.
If you are aware of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox.
Company reporting practice is a podcast topic
The fact that sensitive data is exposed due to misconfigurations is not an isolated case. Whether through unsecured APIs, as in the recent data leak at D-Trust, or through open web servers and data dumps – security researchers and attackers often only need to access it thanks to sloppy admins. According to Marx, there is now a certain habituation effect – too often hair-raising data breaches are discovered.
And the action taken by affected companies after such a breach often raises questions. In the episode of the heise data protection podcast "Auslegungssache" published on February 7, 2025, host Joerg Heidrich and three heise editors discuss whether companies' reporting practices are sufficient. One controversial point: companies often do not consider access by security researchers to be third-party access that requires customer notification. But here, too, data flows – and not every unsolicited pentester is completely trustworthy.
(cku)
