Criminal charges for app notice: CDU Germany apologizes to security researcher

The CDU Germany apologized to a security researcher from the area of ​​the Chaos Computer Club (CCC), who was targeted by the law enforcement authorities because of a criminal complaint by the party. Last May, software developer Lilith Wittmann found glaring security gaps in a CDU app for the doorstep election campaign and reported them to the CDU, the Federal Office for Information Security (BSI) and the Berlin data protection authority. On Tuesday, Wittmann reported on Twitter that she had been contacted by the State Office of Criminal Investigation, as she was being "accused" in this case.

CDU Federal Managing Director Stefan Hennewig said on Twitter that the party reported a few weeks ago in connection with the security gap in the Connect app. "Our report is NOT directed against Lilith Wittmann's Responsible Disclosure procedure." With this procedure, developers report the vulnerability to companies or institutions and only report publicly about it when the danger for those affected has been averted. These procedures are a good way to make those affected aware of security gaps, and an important component in increasing IT security, said the CDU politician.

In connection with the security gap in the app, however, it was alleged that personal data was also published by third parties, explained Hennewig.

“I spoke to Lilith Wittmann on the phone today.

It has nothing to do with these two processes!

The mention of your name in the ad was a mistake for which I apologized.

I withdrew the charge against them at the LKA. "

The CCC had previously announced that it would no longer share knowledge about security gaps with the CDU in the future.

"In order to avoid legal disputes in the future, we are unfortunately forced to forego reporting weaknesses in CDU systems," announced club spokesman Linus Neumann.

Wittmann found out in May that the “CDUconnect” app, which is used in the doorstep election campaign, could freely access confidential data. In addition to the personal data of election campaign workers and CDU supporters, statements by the citizens visited in combination with the age group were also freely available. After Wittmann's advice, the CDU went offline and closed the security gap.