Polish Security Researcher sued for finding bugs in UseCrypt Messenger

Polish Security Researcher sued for finding bugs in UseCrypt Messenger

The developers of the encrypted messaging messenger UseCrypt Messenger have filed a lawsuit against Polish cybersecurity researcher Tomasz Zieliński, editor of the blog Informatyk Zakładowy. The fact is that in the fall of 2020, Zelinski published in the blog article, in which he talked about a vulnerability in the mechanism for inviting users.

The researcher found that in some cases, when UseCrypt Messenger users want to invite a friend to the application, it uses an insecure domain (autofwd.com) to send such invites. In addition, in addition to working over HTTP, AutoFWD.com was vulnerable to both SQL injection and XSS, allowing anyone to hijack the site and then read or forge invitations.

Although in the fall the developers of AutoFWD.com admitted that the researcher was right and eventually closed the resource altogether, Zelinski now soon received a rebuttal from V440 SA, the legal entity behind the creation of UseCrypt Messenger.

In his message the company claimed that the specialist’s research contained “false information.” V440 SA stated that their app does not use AutoFWD.com to handle invitations, but instead relies on its own solution hosted at get.usecryptmessenger.com.

Zelinski writes that the developers of UseCrypt are cunning: after the publication of his research, they quietly made corrections to the messenger, removing AutoFWD.com from the invitation processing mechanism. Now they are trying to refute everything, although the expert notified the company in advance of the problems and adhered to the rules adopted in such cases.

The situation finally escalated in March 2021, when Zelinski announced on Twitter that V440 SA had sued him and was now trying to force him to delete the article.

According to a local news source Puls Biznesu V440 SA also filed lawsuits against two other Polish IT blogs (Danger and Trusted Third Party), claiming that they and Informatyk Zakładowy are an “organized criminal group” and were in cahoots.

The blog authors have released a joint statement (1, 2, 3), in which they say that the company is simply trying to intimidate them and subject them to censorship, forcing them to remove unwanted materials about UseCrypt Messenger.

“Requests to remove articles, requests for an apology and other letters from law firms to our editors will not stop us from being interested in this or that issue,” the researchers said.

Leave a Reply

Your email address will not be published. Required fields are marked *