The Berlin software developer Lilith Wittmann in May in the mobile app CDU-Connect engraved security swagen and then a barely secured database with personal data from 18.000 election campaigns discovered on the web. In the course of a responsible disclosure, she also informed the party. This resulted in a job offer, then a threat and finally a now refunded ad. The preliminary investigation still runs.
Mrs. Wittmann, how did you join the CDU’s election camp app?
The topic went around on Twitter at that time and I wondered that there was probably mass data from Wahler.inside and their opinion. The sound after something you just should not do how you had already seen in the USA.
How long did it take to find the cheeks and the database behind?
Maybe two or three hours for the Vulnerability. It was so easy that I had almost not tried it – but suddenly I had the whole database in his hand. Documenting and communicating the safety chucks then took a lot of long.
They explain in their blog entry, BSI, CERT, the state data protection officer and the CDU had been informed at the same time. Nevertheless, some people have been doing, that was not a responsible disclosure because they had already tweeted their work in advance.
I have neither betrayed that there is a security chart still gives any details. That I say, I use this thing, and I look at that – that’s not a statement about that I found a cheek. I also write nothing about licking as long as they are not resolved or the appropriate application is offline.
And why was there then alarm with so many places?
I always have to inform the BSI if there is a data outflow. And in my view, the personal data were also personal data, hence the state data protection officer. First, I tried to inform the CDU. But it was quick to realize that nobody wanted to talk to me on the phone about security.
"Write a mail"
Who have you mentioned there?
I called the Federal Center of the CDU and introduced me as a security researcher who found a cheek. They then have two more convinced me three times and then strolled it: "Write a mail to our data protection officer, we do not know what we should do now". That’s what I did, parallel with all relevant authorities and note that they are in a process of responsitive disclosure. But first I tried to ask the party by phone to take the thing offline.
As a next, there was the first conversation with the CDU federal fuel of Stefan Hennewig. How did that happen?
He first writes me about his private Twitter account and asked for a conversation. Shortly thereafter we phoned. First, I should be confirmed that I have not stored personal data from CDULERs – I did not have, why too? Then he offered me to work for the party, you have a lot of security ies. I then explained to him that I did not work for people who have just found that I have just found, because then I was working in the security industry and could not do that as civil society commitment. And then I still told him what I think about the CDU.
That seems to have been a mistake in retrospect…
Yes, he said he really had to show me. I explained that I do not believe that, and we have argued a bit about whether the CDU stores personal data from its electives. I think that, and then he thinks he wanted to show me. Then I finished the conversation.
And then nothing happened for a long time, or?
Except for the fact that Armin lashes me on television as "Hacker" designated.
That was in his interview at ProSieben on the 17th. May, and you have gotten pretty much about the term on Twitter – why?
It depends on how to "hacker" used. Thus, people can be meant to make the cool and creative things. But as Laschet has used that, quasi "Since someone has joke" Is that clearly negatively been connected. That’s why I try this often in interviews "IT security researcher" to replace.