Advertisement
The Federal Office for Information Security (BSI) rates the 'vulnerability report' in the Gamescom ticket system as “technically plausible”.
On Friday last week, IT student Patrik discovered a potential security hole in the Gamescom ticketing system on his X channel made public. He discovered the problem in mid-August 2023 and immediately reported it to Koelnmesse, the organizer of the Cologne games fair. According to his professional assessment, the vulnerability was capable of accessing sensitive data – name, address, mobile number, email, ticket information – of registered customers.
The note was followed by: initially nothing. Instead, in January he received a summons from the Cologne public prosecutor's office and a complaint about 'suspicion of computer sabotage/fraud', which Patrik is now defending himself against (details). Among other things, he subsequently escalated the issue – namely to Bonn Federal Office for Information Security (BSI) and data protection officer for the state of North Rhine-Westphalia.
In response to a request from GamesWirtschaft, Koelnmesse announced on Tuesday that the case in question had been known since last year and immediately after it became known “treated” had been. This is accompanied by a clear denial: “There was and is no data leak at Gamescom. We take every report of potential security vulnerabilities very seriously and carefully investigate any suspicions. The data of Gamescom visitors is safe.”
Advertisement
Shortly before the weekend, the BSI classified the process and the position of Koelnmesse. The Federal Office's preliminary finding: the in-house experts have submitted the information “Vulnerability report” can understand – the process is “technically plausible” to classify. However, the authority restricts: “A check of the vulnerability – i.e. the specific exploitation of the vulnerability – does not take place.”
The BSI does not currently want to comment on how to proceed: In this case you want as “intermediary” and “arbitrator” occur and work towards constructive cooperation with the company – also to find out what countermeasures have been taken. So the case is not yet closed. The Cologne public prosecutor's office has not yet made a final statement.
The question remains: Is it normal and usual in daily practice for security vulnerability whistleblowers to be prosecuted? The BSI is astonished: “The BSI is not aware of any legal prosecutions in which security researchers contacted the BSI first after discovering a vulnerability. The BSI always ensures that the information provided by reporting parties is handled in a trustworthy manner. If desired, a report can also be made anonymously.”
Several hundred thousand trade and private visitors are expected again at Gamescom 2024 from August 21, 2024; Advance ticket purchasing is already underway.