A 22-year-old hacker has been fined 455 euros for breaching the Meie Maa media website and disabling the comments section, which then diverted readers to a rival site. The attack took place in May, forcing Meie Maa, a media outlet in Saare County, to temporarily shut down its comments section, Meie Maa reported. Readers entering the section were told the site is unsafe and were directed to Saarte Hääl, a rival news site.
The Western District Prosecutor’s Office fined the man 455 euros, of which 100 euros, which has already been paid, will go to Meie Maa as compensation for damages and 355 euros will go to state coffers. Head of Meie Maa, Priit Rauniste, said they are yet to decide whether they will pursue civil action against the man.
Escaped criminal punishment – Western District Prosecutor’s Office closed the criminal proceedings in this case.
Apparently, meimemaa.ee had a XSS vulnerability in the comments section, which was exploited by adding a HTML code which displayed the message and redirected visitor’s browser to other news site.
Not clear how the fine was calculated and what section under Estonian Penal Code was originally imposed against the attacker.
Links:
http://news.err.ee/v/society/e0f267a5-b8f5-45e0-baac-584a1fd61360
http://uudised.err.ee/v/eesti/cbe747dc-22e2-4b9b-ab05-a8d90a1a50b0
The hint about Penal Code clause §207 can be found in the Estonian version of news story:
Western District Prosecutor’s Office ended the criminal case against the hacker and obliged him to pay 455€. The hacker attacked the website of “Meie Maa” (Our Land/Country) regional newspaper.
June last year a web attack had place which forced “Meie Maa” temporarily close the commentaries section, because the hacker paralyzed the possibility to comment on the stories, as Meie Maa (link) explains.
When entering any of the commentaries sections of Meie Maa, the user was automatically redirected to pages of another local newspaper (id est – of the competitors one), or, a comment appeared (see the picture), as of visiting the webpage be somehow insecure. This was the reason why the (holding company of Meie Maa) Saaremaa Raadio OÜ (Öland Radio Ltd) turned to the Police to find the attacker.
The Police instated, that 9-th and 10-th June 2014, someone Siim (he), 22 yr old, entered some data into the commentaries form (they seemingly mean persistent XSS) which further interfered with the normal work of the computer system or precluded its action (hint on the Penal Code clause §207).
Due this modification, another user saw the text “Warning. Unsuccessfully meiemaa.ee is insecure. To avoid security risks better read http://www.saartehaal.ee) (i.e. the competitors’ site), and after that the user was automatically redirected to there.
Criminal charges dropped.
The West region Prokuratura stopped the criminal investigation and obliged the young man to pay 355EUR to government revenues. Additionally, the young man had was obliged to pay losses made to OÜ Saarema Raadion, 100€, untlil 15-th May as the latest. However, he already paid this 29-th Dec 2014.
As the Saaremaa Raadio MEmber of Board and ActingDirector Priit Rauniste said, 100€ were real losses spent to liquidate the consequences of the attack, while the extent of the moral losses are matter of estimation, as well as the plans about suing the hacker. Rauniste said: “we haven’t yet decided whether or not we will sue the man”.