Polish blogger sued after revealing security issue in encrypted messenger
The company behind the UseCrypt Messenger encrypted instant messaging application filed a lawsuit last month against a Polish security researcher for publishing an article that exposed a vulnerability in the app's user invite mechanism.
The lawsuit targets Tomasz Zieliński, the editor of Informatyk Zakładowy, a Polish blog dedicated to IT topics, and denounces one of the site's articles, published in October 2020.
The article describes how Zieliński found that in some cases, when UseCrypt Messenger users wanted to invite a friend to the app, the application used an insecure domain (autofwd.com) to send out user invitations.
Zieliński found that besides running on an insecure HTTP connection, the AutoFWD.com website was also vulnerable to SQL injection and cross-site scripting (XSS) vulnerabilities that would have allowed anyone to hijack the site and then read or tamper with UseCrypt invitations.
But while the authors of the AutoFWD.com website admitted to the security weaknesses in their service and shut down their website, Zieliński received a firm rebuttal of his research from V440 SA, the legal entity behind the UseCrypt Messenger.
In a message the company sent Zieliński a month after his blog post went live, they claimed his research contained "false information."
V440 SA said their app did not use the AutoFWD.com service to handle user invitations but instead relied on an in-house solution hosted on the get.usecryptmessenger.com domain.
But in a subsequent update, Zieliński claims that the UseCrypt team was lying and that, in reality, they silently patched their app to remove the AutoFWD.com from its user invite mechanism after his research was posted online and were merely trying to dismiss his findings, even after he notified them in advance of his research.
But while this small bug disclosure went unnoticed for months, things escalated at the start of March 2021, when Zieliński disclosed on Twitter that V440 SA filed a civil lawsuit in a Polish court over last year's research, with the company seeking to force the blogger to take down his article.
Co jakiś czas z ważnych powodów proszę Was o RT i to jest właśnie ten przypadek. Chciałbym, aby możliwie daleko poniosła się informacja, że wydawca komunikatora #Usecrypt pozwał mnie w procesie cywilnym o zaniechanie naruszeń dóbr osobistych i usunięcie skutków naruszenia 1/6— Informatyk Zakładowy (@InfZakladowy) March 14, 2021
In addition, Polish news site Puls Biznesu also ran an article citing sources and claiming that V440 SA had also filed criminal complaints against not only Zieliński's blog but also against Niebezpiecznik and Zaufana Trzecia Strona, two other Polish IT security blogs, claiming that the three were working as part of an "organized criminal group."
But the three Polish blogs believe all of this is just intimidation.
In a joint statement posted on all three sites on March 2, 2021, the editors of Informatyk Zakładowy, Niebezpiecznik, and Zaufana Trzecia Strona said they have been receiving legal letters from S440 SA demanding the removal of any negative articles and user comments from their websites about the UseCrypt Messenger app in what the three sites described as "an attempt to intimidate and censor independent media."
"Requests to remove articles, requests for apologies and other letters from law firms addressed to our editors will not make us stop being interested in a certain issue," the joint statement reads.
Furthermore, an editor for the Zaufana Trzecia Strona also told The Record that they have not yet been able to confirm if there is indeed a criminal investigation underway against the three sites or if this is just another intimidation tactic in order to put more pressure on the tree sites.
The Polish National Public Prosecutor's Office told The Record in a phone call last week that they can't comment on an ongoing investigation, nor could they confirm or deny that such investigation exists, as a matter of policy.
A V440 SA spokesperson did not respond to a request for comment The Record sent two weeks ago.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.