Note from hacker

Security loophole discovered in the climate bonus

A so-called ethical hacker discovered the security vulnerability while testing the climate bonus website.

(Bild: Sodexo)

Following a hacker's tip-off, a security loophole in the climate bonus has been eliminated. According to the Climate Protection Ministry, the misuse of forged ID cards could have made it possible to retrieve individual data on the payment status of the climate bonus, including the bank sort code or the amount of the climate bonus.

A so-called ethical hacker discovered the potential security gap in connection with the automatic verification of ID cards while testing the climate bonus website and immediately informed the Climate Protection Ministry. A comprehensive external review revealed that there was no evidence that the vulnerability could be exploited.

The tool was actually used to provide citizens with low-threshold information about receiving their climate bonus. It was taken offline in order to subsequently rectify all security vulnerabilities. The service hotline on 0800 8000 80 is still available for low-threshold information on the climate bonus.

No data leaked
As part of the necessary precautionary measures, the Ministry of Climate Protection has also informed the data protection authority. This authority has since closed the relevant proceedings, as no data was leaked and all appropriate measures were taken immediately. In addition, external experts were commissioned to re-examine the facts of the case. This review also came to the conclusion that no data of citizens had been leaked.

As a result of this incident and on the recommendation of epicenter.works, the Ministry of Climate Protection is now working on setting up a program to reward people who draw the Ministry's attention to security improvements.