Payment flaw gave researcher 1.3 million MBR documents for just one cent

MBR says it has addressed the issue after Lilith Wittmann ‘manipulated the payment gateway’

Updated 2.55pm with Wittman response

A security researcher obtained more than one million documents from the business registry for a nominal fee after “manipulating” the website’s payment gateway.

The Malta Business Registry (MBR) said it has since fixed the vulnerability which allowed German researcher Lilith Wittmann to download 1.3 million PDFs for one cent – a far cry from the €1 to €10 charged per document by the registry.

The incident first came to public attention when Wittmann posted about it on X, claiming that the MBR website had been offline over the preceding weekend after she obtained the documents.

“Some gambling companies might not have been able to use the long weekend to start a new shell company in Malta. That’s because, since Thursday, the [Malta Business Registry] has been offline,” she said, while tagging the registry in the post.

“And, no, this time I really did not hack you,” said Wittmann, while attributing the access to use of the MBR website’s application programming interface (API), a type of computer-to-computer or software-to-software communication.

In subsequent exchanges with other X users, Wittmann said she had obtained the documents to keep a “back-up” of the registry “because we both know that it sometimes has the tendency to lose documents”, while pointing to a 2020 media article claiming the MBR had wiped tens of thousands of struck off companies from its database.

Downloading the same number of documents from the registry would cost at least €1.3 million.

The one cent paid by Wittmann is far below what such a large trove of documents would typically cost; prospectuses cost €10 while memorandums and articles of association, partnership deeds and annual accounts cost €5. Annual returns are sold for €2 and other documents for €1.

Downloading the same number of documents from the registry as in Wittmann’s case would cost at least €1.3 million.

Confirming Wittmann’s access, the MBR told Times of Malta that, while the documents were all available for public download, the researcher “manipulated the payment gateway to obtain the documents at a reduced fee”.

The registry said it had “not received any correspondence” from Wittmann and that the “issue has been addressed”.

Wittmann: 'They allowed me to decide what to pay'

Wittmann rebutted that she had at no point manipulated any MBR systems. 

"I only used APIs as intended. Those APIs are advertised on MBR's portal. And they allowed me to decide what I wanted to pay for the documents," she said.

Wittmann said the EU's Open Data directive also indicated that the documents should be available via APIs and free of charge. 

"There were no indications that buying the data on a pay-what-you-want scheme would conflict with the portal's design in any way," she said. 

This is not the first time Wittmann has accessed a government database; in March, she claimed responsibility for a system breach at the Malta Gaming Authority (MGA) while saying the accessed data would shed light on alleged “organised crime enablement schemes”. The MGA announced the breach on its website a few days beforehand.

The MGA breach was not the first time the researcher targeted Malta’s gambling sector, however; last year, she “easily” exposed a security flaw to access sensitive personal information of over a million online casino players from a St Julian’s-based software company.

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.