Polish Blogger Sued After Revealing Security Issue In Encrypted Messenger

An anonymous reader quotes a report from The Record: The company behind the UseCrypt Messenger encrypted instant messaging application filed a lawsuit last month against a Polish security researcher for publishing an article that exposed a vulnerability in the app’s user invite mechanism. The lawsuit targets Tomasz Zieliski, the editor of Informatyk Zakadowy, a Polish blog dedicated to IT topics, and denounces one of the site’s articles, published in October 2020. The article describes how Zielinski found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the application used an insecure domain (autofwd.com) to send out user invitations. Zielinski found that besides running on an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hijack the site and then read or tamper with UseCrypt invitations. But while the authors of the AutoFWD.com website admitted to the security weaknesses in their service and shut down their website, Zieliski received a firm rebuttal of his research from V440 SA, the legal entity behind the UseCrypt Messenger.

In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained “false information.” In a message the company sent Zieliski a day after his blog post went live, they claimed his research contained “false information.” V440 SA said their app did not use the AutoFWD.com service to handle user invitations but instead relied on an in-house solution hosted on the get.usecryptmessenger.com domain. But in a subsequent update, Zieliski claims that the UseCrypt team was lying and that, in reality, they silently patched their app to remove the AutoFWD.com from its user invite mechanism after his research was posted online and were merely trying to dismiss his findings, even after he notified them in advance of his research.

To make matters worse, V440 SA had reportedly filed criminal complaints against not only Zielinksi’s blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an “organized criminal group.”

“Requests to remove articles, requests for apologies and other letters from law firms addressed to our editors will not make us stop being interested in a certain issue,” the editors of the Polish blogs said in a joint statement. It’s currently unknown if there is actually a criminal investigation underway against the three sites or if this is just an intimidation tactic.