CDU apologizes to security researcher

DIE CDU An apology has been made to a security researcher in the Chaos Computer Club (CCC) field who became a target of law enforcement due to the party’s criminal proceedings. In May of last year, software developer Lilith Wittmann discovered an obvious security vulnerability in the CDU application used for door-to-door campaigns and reported it to the CDU, the Federal Information Security Office (BSI) and the Berlin Data Protection Agency. On Tuesday, Wittman reported on Twitter that the National Criminal Investigation Office had contacted her because she was “accused” in this case.

CDU Federal Managing Director Stefan Hennewig said on Twitter that the party reported a security breach in the Connect app a few weeks ago. “Our report is not aimed at Lilith Wittmann’s responsible disclosure procedure.” Through this procedure, developers can report vulnerabilities to companies or institutions, and only make public reports after avoiding the risk of affected persons. CDU politicians say that these procedures are a good way to make affected people aware of security vulnerabilities and are an important part of improving IT security.

However, related to security breaches in the app, personal data was allegedly also released by a third party, Hennewig explained. “I spoke with Lilith Wittmann on the phone today. It has nothing to do with these two processes! The mention of your name in the ad was a mistake, and I apologize for it. I dropped the charges against them at LKA.”

CCC previously announced that it will no longer share knowledge about security vulnerabilities with CDU in the future“In order to avoid future legal disputes, unfortunately, we are forced to abandon reporting weaknesses in the CDU system,” the club spokesperson Linus Neumann announced.