Posted on May 12, 2018 at 6:28 PM
According to one security researcher, there has been a massive overlook when it comes to the security of British mobile network company called EE. By failing to change the default username and password, the company left their users’ and employees’ data wide open, and ready for taking.
EE fails to secure a code repository
One of the largest mobile networks in Britain, EE, which is also owned by BT Group, was accused of risking the safety of a critical code repository due to bad security. Apparently, the company left the repository protected only by a default login info, according to one researcher.
This researcher, with a Twitter handle of “six”, posted a tweet in which he announced that he got access to two million lines of code. These contain a number of AWS secret keys and APIs belonging to developers and other company’s employees.
By getting to these keys, it is possible for hackers to get a detailed analysis of the company’s payment systems, as well as to discover additional vulnerabilities. By finding those, a number of frightening possibilities are opening up, including the potential theft of payment info.
According to the researcher, the code can be accessed on SonarSource’s platform called SonarQube, on the EE subdomain. This is where the company usually does code analysis and bug detection.
Reports of the flaw were not answered
The researcher also claimed that he reported the company of this multiple times during the span of several weeks. Surprisingly, the company did not respond on any of these occasions, which finally forced this Twitter user to go public with his findings.
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) – 2 pic.twitter.com/jyLEBt2f0w
— six (@lol_its_six) May 10, 2018
In a tweet, he stated that he has waited for many weeks, yet the reply never came, which forced him to let the public know about the issue. He came out with all of the critical information in the post in which he states that two million lines were only protected by an admin:admin combination for username and password.
With these credentials left in their default form, there is practically nothing that would stop hackers to analyze the code and find additional vulnerabilities. In fact, he claims that there is no real need for any analysis since the hackers can just handpick the API and AWS keys from the exposed data.
Finally, he warned the users of the company that their data is at risk since EE obviously does not care that much about their users’ security. The company stated to ZDNet that these accusations are false and that the data of their customers are not at risk.
You trust these guys with your credit card details, while they do not care about security, or customer privacy. Picture below shows access keys to authorize to their employee tool, for customer lookups. pic.twitter.com/clG4wsFcAM
— six (@lol_its_six) May 10, 2018
Additionally, they stated that the security of their users is of highest priority within the company. At least, the company acknowledged the mistake and decided to thank “six” for pointing the flaw out.
WinMagic’s VP EMEA, Luke Brown, stated that there were a lot of incidents regarding the data theft and bad security. However, the default login info on a repository that is used for finding bugs and improving security is quite ironic. According to Brown, this is further proof that the most of the responsibility shared between the cloud security and company security still falls on the organization itself. This is why there is the need for rules and policies regarding passwords, encryption, and similar aspects of security within companies.