PwC Sends 'Cease And Desist' Letters To Researchers Who Found Critical Flaw
by Zack Whittaker
ZDNet.com, SECLISTS.org, ESNC News ISBN/ITEM#: CM161221DESIST
Date: 21 December 2016
We really don't understand the actions of auditing and tax giant PwC, who upon being informed of a remotely exploitable bug in a security tool by a security research firm, inexplicably turned around and threatened legal action against Munich-based ESNC.From release/information:
The researchers disclosed details of the flaw, despite receiving two written legal threats.
A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal action.
Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.
The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft, or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money."
An attacker could also add a backdoor to the affected server, it read.
The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published.
Three days later, the corporate giant responded with legal threats.
(Source: ZDNet.com, SECLISTS.org, ESNC)
Our Other Pubs: