Security News > 2021 > August > Das tut mir leid! Germany's ruling party sorry for calling cops on researcher after she outed canvassing app flaws
A "Left-wing" German infosec researcher was this week threatened with criminal prosecution after revealing that an app used by Angela Merkel's political party to canvass voters was secretly collecting personal data.
In May, during federal elections in Germany, the CDU equipped its door-knocking activists with an app called CDU Connect.
The app was used for recording data on homeowners: did they welcome political activists knocking on their doors to find out who they were going to vote for? Did they shoo the CDU's foot soldiers away, or did they invite them in for a cuppa and a chat? At the time, Wittmann told us, the CDU insisted that data collected in the app was anonymous.
The researcher revealed her findings in a blog post, explaining on a phone call with The Register that all she did was sniff an API token, "Man in the middle" style, "To figure out how the API works." Having done that, she discovered personal data was indeed being processed by the app.
After Wittmann reported the exploitable vulns to the CDU, the party shut down CDU Connect.
German daily newspaper Die Welt reported yesterday that CDU managing director Stefan Hennewig confirmed the party had told police of an alleged data theft and denied the party had accused Wittmann of stealing data - but then apologised anyway for naming her in the CDU's police report.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/05/germany_responsible_disclosure_cdu/