Telco EE has been accused of “exposing over two million lines of private source code to their systems and employee systems,” due to the use of an admin:admin username and password combination.
According to security researcher and developer “Six”, there is a Sonarqube portal on an EE subdomain, which EE uses to audit the code and discover vulnerabilities across its website and customer portal. However, it had not changed the default password from “admin”, reported ZDNet.
“Access to this allows malicious hackers to analyze source code and identify vulnerabilities within,” Six said. “Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more.”
A spokesperson later told ZDNet that the company had changed the password and that the service was pulled offline while the company investigates, and that the portal was a tool used by the company's web development team to quality check its code.
The spokesperson said: “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.
“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We're conducting a thorough investigation to make sure this does not happen again.”
Luis Corrons, security evangelist at Avast Software, told Infosecurity that this is a “clear example of how inadequate security guidelines put companies in jeopardy,” but he welcomed the news that there was a password at all - although using default passwords is one of the major security risks we face nowadays.
“We have seen cases before where personal data has been made publically available due to the absence of proper protection,” he said. “A prime example is the case last year in the US where three marketing companies working for the Republican Party published a database online with information on about 198 million registered voters. Anyone could download the full database because there were no security measures in place.”
Rahim Jina, COO of Edgescan, told Infosecurity that exposures such as these are more common than you might think.
“I have no extra information, other than from reading the article, but many companies would deploy services such as these which would only ever be intended for internal users,” he said.
“It really comes down to a company’s deployment processes and policies. Some companies may not have strict guidelines here, or maybe they do and they were just not followed in this case. Sometimes where internal tools/services like these are deployed, the frame of mind is that these are for internal use only.”
Jina added that the responsibility here could lie with the development team, system admins or with a DevOps function (or all three). “Sometimes lack of coordination or defined responsibilities within these groups (for larger organisations) could lead to gaps and issues like this can arise.”