PwC sends 'cease and desist' letters to researchers who found critical flaw

The researchers disclosed details of the flaw, despite receiving two written legal threats.

(Image: file photo)

A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal action.

Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.

US government pushed tech firms to hand over source code

If source code gets into the wrong hands, the damage would be incalculable.

Read More

The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money."

An attacker could also add a backdoor to the affected server, it read.

The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published.

Three days later, the corporate giant responded with legal threats.

"We believe in responsible disclosure," said Ertunga Arsal, chief executive of ESNC, in an email on Monday.

"We are security company, which is publicly credited by SAP and other companies for discovery of over 100 security vulnerabilities to date," he said.

Arsal said that this was the first time his company had submitted a vulnerability report to PwC, but it was also the first time that his company received a legal threat.

A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software.

The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices.

That was when PwC hit the security firm with a second cease-and-desist letter.

Undeterred, the researchers released a security advisory a little over two weeks later.

In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.

The corporate giant argued that ESNC shouldn't have had access to the software in the first place, as it wasn't a licensed partner.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.

The spokesperson also said in separate prepared statement: "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.

It's far from the first time that a security firm or its researchers have faced the wrath from a company that fights instead of fixes.

Earlier this year, Justin Shafer, a Texas-based dental computer technician, made headlines when the FBI conducted a raid on his home after he found a security flaw.

Only a year earlier, security researcher Mike Davis was on the receiving end of legal threats after discovering a series of vulnerabilities in electronic locks made by Oregon-based Cyberlock.

"We informed PwC about the vulnerability and how it can be used to add a backdoor SAP admin account on the system during a meeting with their experts," said Arsal. "We gave them sufficient time to patch the vulnerability and to inform their customers."

Realizing the severity of the flaw, Arsal said that he "offered [PwC] our help during this process."

Given the hostility that some researchers face, it makes you wonder why some people bother to report vulnerabilities in the first place.

When we asked, Arsal said, simply, "because it is the right thing to do."

Were voting machines hacked during the 2016 election?