Tech

Polish blogger sued after revealing security issue in encrypted messaging

An anonymous reader quotes a report from The Record: The company behind the UseCrypt Messenger The encrypted instant messaging app lodged a complaint last month against a Polish security researcher for posting an article that exposed a vulnerability in the application’s user invitation mechanism. The lawsuit targets Tomasz Zieliski, editor-in-chief of Informatyk Zakadowy, a Polish blog dedicated to IT topics, and denounces one of the articles on the site, published in October 2020. The article describes how Zielinski found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the app used an insecure domain (autofwd.com) to send invitations to users. Zielinski discovered that in addition to running over an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hack the site and then hack into the site. read or tamper with UseCrypt invitations. But while the authors of the AutoFWD.com website admitted their service’s security weaknesses and shut down their website, Zieliski received a firm rebuttal of his research from V440 SA, the legal entity behind UseCrypt Messenger. .

In a message the company sent to Zieliski a day after his blog went live, they claimed his research contained “false information.” In a message the company sent to Zieliski a day after his blog went live, they claimed his research contained “false information.” V440 SA said its app does not use the AutoFWD.com service to manage user invitations, but instead relies on an in-house solution hosted on the get.usecryptmessenger.com domain. But in a later update, Zieliski claims the UseCrypt team was lying, and in fact, they silently patched their app to remove AutoFWD.com from its user invite mechanism after its research was published online. and were just trying to dismiss his conclusions. , even after having notified them in advance of his research. To make matters worse, V440 SA reportedly filed criminal complaints not only against Zielinksi’s blog, but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming the three worked as part of a “group organized criminal “.

“Requests for deletion of articles, requests for apologies and other letters from law firms to our editors will not make us stop being interested in a certain issue,” the editors of the Polish blogs said in a statement. spouse. It is currently unknown if there is Actually an ongoing criminal investigation against all three sites or if this is just a bullying tactic.

Polish blogger sued after revealing security issue in encrypted messaging

Source link Polish blogger sued after revealing security issue in encrypted messaging

Back to top button