14 DAY TRIAL // The Chaos Computer Club (CCC) hacker collective has notified the German Federal Finance Agency (Bundesfinanzagentur) of a serious security hole present on its website for years.
The vulnerability allowed any user to modify the content of the website through a Web-based file manager that was left unprotected.
The German Finance Agency is a state owned financial services company responsible for managing federal debt, as well as issuing Federal securities.
By leveraging the security hole, attackers could have added their own transaction quotes and could have changed the destination of the site's "Internet banking" link.
It's unclear for how long the website was vulnerable, but the unsecured file manager was probably there for years.
It wasn't yet determined if any transactions were altered during this period or if phishers directed online banking users to a rogue website.
The CCC has learned of the vulnerability after being notified by one of its over 4,000 members, who discovered the file manager by looking at the robots.txt file that tells search engines what pages not to index.
The Finance Agency was immediately alerted and has suspended access to the site in order to investigate the problem.
A spokesperson for the company admitted that the website was subjected to outside penetration testing, as well as government reviews, but the issue was never identified.
"This is not an oversight, this is gross negligence. For an agency that is responsible for the funding of German debt, this is a massive exposure," said CCC spokesman Dirk Engling. [approximate translation]
Dating back to 1981, the Chaos Computer Club is one of the largest and oldest hacking collectives in the world. It is best known for organizing the Chaos Communication Congress (C3), the biggest European hacker conference that takes place every year in Berlin.