EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password.
A security researcher going by the Twitter handle of “six” found two million lines of code including access to the company’s private employee and developer APIs and AWS secret keys.
Obtaining those keys could let a hacker analyze the code of their payment systems, and find major holes that could lead to theft of payment information, among other possibilities.
The researcher claims to find the exposed code on a SonarQube (an open source platform developed by SonarSource) on an EE subdomain used by the company to analyze code to detect bugs and security vulnerabilities on their website.
What worse is that according to researcher they informed EE several times for weeks but there was no response from the company whatsoever forcing them to talk about the issue on Twitter publically.
“After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an ‘admin:admin’ user/pass combination,” researcher tweeted.
“Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually, there’s no need, since you can just view the code and take AWS keys, API keys, and more,” said the researcher.
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) – 2 pic.twitter.com/jyLEBt2f0w
— six (@lol_its_six) May 10, 2018
Furthermore, the researcher warned EE users that their credit card data is at risk since the company does not care about their security. However, in a statement to ZDNet, EE rubbished the claims made by researcher and said that none of the customer or payment data at risk.
“Our final code then goes through further checks, processes, and review from our security team before being published. This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team,” EE told ZDNet.
“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again.”
You trust these guys with your credit card details, while they do not care about security, or customer privacy. Picture below shows access keys to authorize to their employee tool, for customer lookups. pic.twitter.com/clG4wsFcAM
— six (@lol_its_six) May 10, 2018
Luke Brown, VP EMEA at WinMagic commented on the issue and said that “We’ve seen quite a number of incidents these past few months where data has been left exposed on servers and open-source tools, but to have kept the default password on a repository created to audit code for flaws and vulnerabilities…. The irony won’t be lost on anyone!”
“A company as reputable as EE could have made this mistake underlines the importance of proper configuration and security for any public facing services. It should also serve as a reminder that under the shared responsibility model of cloud security, responsibility for data stored in these repositories falls to the organization, not the cloud provider. As a result, the need for consistent policies, password rules, and specialized data encryption management has never been greater,” said Brown.