The developers of the encrypted UseCrypt Messenger have filed a lawsuit against Polish IS researcher Tomasz Zieliński, editor of the blog Informatyk Zakładowy.The fact is that in the fall of 2020, Zelinski published an article on a blog in which he talked about a vulnerability in the mechanism for inviting users.
The researcher found that in some cases, when UseCrypt Messenger users want to invite a friend to the application, it uses an insecure domain (autofwd.com) to send such invites. In addition, in addition to working over HTTP, AutoFWD.com was vulnerable to both SQL injection and XSS, allowing anyone to hijack the site and then read or forge invitations.
Although in the fall the developers of AutoFWD.com admitted that the researcher was right and eventually closed the resource altogether, Zelinski now soon received a rebuttal from V440 SA, the legal entity behind the creation of UseCrypt Messenger.
In its report, the company claimed that the specialist’s research contained “false information.” V440 SA stated that their app does not use AutoFWD.com to handle invitations, but instead relies on its own solution hosted at get.usecryptmessenger.com.
Now they are trying to refute everything, although the expert notified the company in advance of the problems and followed the rules adopted in such cases.
The situation finally escalated in March 2021, when Zelinski announced on Twitter that V440 SA had sued him and was now trying to force him to delete the article.
According to local news outlet Puls Biznesu, V440 SA has also filed lawsuits against two other Polish IT blogs (Niebezpiecznik and Zaufana Trzecia Strona), claiming that they and Informatyk Zakładowy are an “organized crime group” and were in cahoots.
The authors of the blogs released a joint statement (1, 2, 3), in which they say that the company is simply trying to intimidate and censor them, forcing them to remove unwanted materials about UseCrypt Messenger.
Let me remind you that Hackers attack Microsoft Exchange servers on behalf of Brian Krebs, as well as that Russian who tried to hack Tesla was pleaded guilty.