Gaps in the connect app: When a hacker calls the CDU – Market Research Telecast


In May, the Berlin software developer Lilith Wittmann discovered serious security gaps in the CDU-connect mobile phone app and then a poorly secured database with the personal data of over 18,000 election campaigners on the web. In the course of a Responsible Disclosure, she also informed the party. This resulted in first a job offer, then a threat and finally a now withdrawn complaint. The preliminary investigation is still ongoing.

Ms. Wittmann, how did you come to work with the CDU’s election campaign app?

The topic was circulating on Twitter at the time and I was surprised that there was probably a massive amount of data from voters and their opinions. That sounded like something you just shouldn’t do, as you had seen in the US.

Lilith Wittmann

(Image: private)

How long did it take to find the hole and the database behind it?

Maybe two or three hours for vulnerability. It was so easy that I almost didn’t try it – but suddenly I had the whole database in my hand. Documenting and communicating the vulnerability then took a lot longer.

They explain in Your blog post, BSI, CERT, the state data protection officer and the CDU had been informed in good time. Still, some people accuse you of not being Responsible Disclosure for tweeting about your work before.

I didn’t reveal any security flaws or any details. That I say I use this thing and I look at this – that doesn’t mean that I’ve found a hole. I also don’t write anything about gaps as long as they have not been fixed or the relevant application is offline.

And why was there an alarm in so many places?

I always have to inform the BSI if there is a data leak. And from my point of view, this was also personal data, hence the state data protection officer. But first of all I tried to inform the CDU. But it quickly became clear that nobody wanted to talk to me about security vulnerabilities on the phone.

Who did you speak to?

I called the federal headquarters of the CDU and introduced myself as a security researcher who found a loophole. They then connected me three times and then it was said: “Write an email to our data protection officer, we don’t know what to do now either”. I then did that, in parallel with all the relevant authorities and pointed out that I was in a process of responsible disclosure. But first I tried to phone the party to ask that they take this thing offline.

Next there was the first conversation with the CDU federal manager Stefan Hennewig. How did that happen?

He first wrote to me via his private Twitter account and asked for a conversation. Shortly afterwards we spoke on the phone. First of all, I should confirm to him that I have not saved any personal data from CDU members – I did not have it, why should I? Then he offered me to work for the party because there were a lot of security problems. I then explained to him that I did not work for people with whom I had just found gaps, because then I would work in the security industry and could no longer do that as a civil society commitment. And then I told him what I thought of the CDU.

In retrospect, that seems to have been a mistake …

Yes, he said he should actually report me. I stated that I don’t believe that, and we argued a bit about whether the CDU stores personal data from its voters. I think so, and then he says again that he wants to report me. Then I ended the conversation.

And then it didn’t happen for a long time, did it?

Except for the fact that Armin Laschet called me a “hacker” on television.

That was in his interview with ProSieben on May 17th, and you were pretty annoyed about the term on Twitter – why?

It depends on how you use “hackers”. This can mean people who do cool and creative things. But the way Laschet used it, like “someone hacked into it”, it has a clearly negative connotation. That’s why I often try to replace it with “IT security researcher” in interviews.


Read More:Gaps in the connect app: When a hacker calls the CDU – Market Research Telecast