Researchers Find Vulnerability That Enables Accounting Fraud, PwC Decides The Best Response Is A Legal Threat

from the you're-not-helping dept

"Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.



"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

For years now, we've noted that some companies apparently think it's a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research -- or the tools researchers use -- to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company's products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.The advisory was quick to point out that the vulnerability could allow a hacker to, if they were so inclined:The researchers say they received the cease and desist threat despite meeting with PwC in August to discuss the flaw. ESNC also gave PwC three months to fix the flaw before issuing their public advisory, in line with the firm's responsible disclosure policy. ESNC says this was the first time they'd ever sent their research and findings to PwC. It was also the first time they've ever been legally threatened for doing their job, despite the discovery of over 100 security vulnerabilities to date. Despite two cease and desist letters, ESNC released their findings anyway -- "because it is the right thing to do."When pressed for comment, PwC read directly from the tone-deaf playbook, first pointing out that ESNC did not have a license to use this software (irrelevant), then trying to downplay the fact that the vulnerability could enable accounting and financial fraud:This kind of behavior has always been, for lack of a more scientific term, blisteringly idiotic. But it's becoming more of a problem with the rise of the internet-of-poorly-secured things, which has amplified exponentially the number of attack vectors and product vulnerabilities in the wild. With security researchers now clearly warning us that the failure to secure these products will inevitably result in human fatalities at scale, this ongoing attempt to criminalize security research needs to be considered a criminal act in and of itself.

Filed Under: cybersecurity, legal threats, research, security, security research, threats

Companies: esnc, pwc