Polish Blogger Sued After Revealing Security Issue In Encrypted Messenger

An anonymous reader quotes a report from The Record: The company behind the UseCrypt Messenger encrypted instant messaging application filed a lawsuit last month against a Polish security researcher for publishing an article that exposed a vulnerability in the app's user invite mechanism. The lawsuit targets Tomasz Zieliski, the editor of Informatyk Zakadowy, a Polish blog dedicated to IT topics, and denounces one of the site's articles, published in October 2020. The article describes how Zielinski found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the application used an insecure domain (autofwd.com) to send out user invitations. Zielinski found that besides running on an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hijack the site and then read or tamper with UseCrypt invitations. But while the authors of the AutoFWD.com website admitted to the security weaknesses in their service and shut down their website, Zieliski received a firm rebuttal of his research from V440 SA, the legal entity behind the UseCrypt Messenger.

In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained "false information." V440 SA said their app did not use the AutoFWD.com service to handle user invitations but instead relied on an in-house solution hosted on the get.usecryptmessenger.com domain. But in a subsequent update, Zieliski claims that the UseCrypt team was lying and that, in reality, they silently patched their app to remove the AutoFWD.com from its user invite mechanism after his research was posted online and were merely trying to dismiss his findings, even after he notified them in advance of his research. To make matters worse, V440 SA had reportedly filed criminal complaints against not only Zielinksi's blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an "organized criminal group."

"Requests to remove articles, requests for apologies and other letters from law firms addressed to our editors will not make us stop being interested in a certain issue," the editors of the Polish blogs said in a joint statement. It's currently unknown if there is actually a criminal investigation underway against the three sites or if this is just an intimidation tactic.

Lesson Learned

[bobstreo]

Next time just sell the "Security Issue" to "hackers" instead of the whole bother of reporting the issue.

Re:Lesson Learned

[stephanruby]

V440 SA had reportedly filed criminal complaints against not only Zielinksi's blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an "organized criminal group."

Since the company is filing a criminal complaint, then it's an admission from the company that the product did have a security flaw.

Otherwise, they'd only be suing for defamation and libel.

Re:

[kot-begemot-uk]

Depends on the legal system, definition and method of persecution of libel and defamation. It differs from country to country.

USA and UK tried to make the rest of the world switch to their model where defamation and libel are purely civil matter. While there was a movement in the late 90es and 2000s, that has been rolled back now in most countries. Defamation and libel in a lot of countries have been re-criminalized. The laws have been amended for the Internet age as well. Not sure where Poland stands on

Re:

[Ostracus]

That's about as much a "lesson" as saying one should smash windows and grab stuff due to high prices. Yeah, that'll teach them.

Re: Lesson Learned

[reanjr]

It's more like jiggling the door to find it unlocked, then passing that info to thieves.

Re: Lesson Learned

[dhrabarchuk]

+1. No mods points left

Corporate Arrogance, Amplified.

[geekmux]

So a small basically unknown company, appears to have utilized all manner of intimidation tactics, to include accusations of criminal activity, against a group of IT professionals who were merely trying to strengthen a product by identifying a vulnerability and discussing it.

If that is what a small basically unknown company is capable of doing to basically avoid embarrassment, can you imagine what a mega-corp with political power is capable of? Downright scary when you think about it.

Tip for the kids; Don't piss off Too Big To Fail, because they'll prove it. On you.

Re:

[Anonymous Coward]

This is one of the things I've always seen as a huge problem with certain countries (of which I don't know that Poland is among) where it is actually codified in law that pointing out a security problem really is a criminal act.

Your concern/fear of mega-corps isn't misplaced, but at least most of them are operating in countries where not only is publishing security flaws not a crime, but is codified in law as explicitly legal.

It's bad enough when a mega-corp tries dragging you through court to argue your le

Re:

[SnickleFritz]

Don't just put companies in that category. Gov't is the most too big to fail there is and they've proven a willingness to go further.

Re:

[t2000kw]

Yet they did have advance notice before the findings were published. Whey did they not do the quick fix only after the article went live instead of moving fast as soon as they were made aware of the vulnerability? I don't know Polish law but I hope they have a law that allows suing the company for a frivolous lawsuit so they can not only get some court award, but also recoup their legal exopenses. It also seems a bit ludicrous that they'd sue when it was their fault the vulnerability needed to be disclose

Re:

[Stoutlimb]

This is not a corporate problem. This is a condemnation of fundamental human nature. Humanity needs a massive set of bug fixes.

Re: Corporate Arrogance, Amplified.

[dhrabarchuk]

Maybe they lied to avoid any potential liability?

All whistleblowing should be done anonymously.

[couchslug]

Whistleblowers are always punished and blacklisted. It's a great way to ruin your life. The appropriate response is exposure by anonymously dumping info where it will be exploited so the damage will coerce corrective response.

When you find someone doing evil, attack them without revealing yourself for punishment or you will accomplish nothing. It would have been better to make fools of the perps anonymously than play against them in a legal system they own.

Re:

[haraldm]

Yes but someone is gonna report it. So if you don't get the whistleblowers, sue the publishers. See also "Julian Assange".

Re:

[Antique Geekmeister]

The publicity can also help gather other business. Kevin Mitnick, one of the most notorious criminal hackers, is in business again as a security consultant. And Tsutomo Shimomura, who tracked him down and exposed the gross incompetence of the FBI in employing, shielding, and then losing track of Mr. Mitnick also gained notoriety and business precisely for tracking down Mr. Mitnick despite the FBI's blundering incompetence in the search.

Whistleblowing is also vital for news organizations, who rely on exposes

Wow!

[LenKagetsu]

Not only is UserCrypt not secure, but the company lashes out at and sues anyone who points this out! I better not use it!

Re:

[geekmux]

Not only is UserCrypt not secure, but the company lashes out at and sues anyone who points this out! I better not use it!

Look at the bright side. We got a colorful name out of this move. I call it the Reverse Streisand.

(Vendor) "Our product is NOT insecure! How DARE you say it is! I'll SUE your ass!!"

* Future user base standing outside the proverbial product door, collectively vows to never open it *

Re:

[LenKagetsu]

A reverse streisand would be where you do everything in your power to publicize something but nobody gives a shit about it.

Re:

[Canberra1]

Ungrateful twits. They had a top class FREE PEN test and in-depth (free analysis). Instead of tossing $10,000 or more their way as a thanks they get PR to intimitate - even though they had advance notice. Knowingly not fixing defective product/code SHOULD be a crime, especially when holding on to false representations that it is secure.

SJW tactics.

[BAReFO0t]

The best bullying is to accuse others of bullying.

Any comment from Barbra Streisand so far?

[haraldm]

#facepalm

Streisand effect?

[VeryFluffyBunny]

Hasn't V440 SA heard of the Streisand effect? What a great way to generate a tonne of negative publicity, making the public doubt the competence of a company that provides security & privacy focused services.