EE Fix Portal Which Was Secured with 'Admin' Password

Telco EE has been accused of “exposing over two million lines of private source code to their systems and employee systems,” due to the use of an admin:admin username and password combination. According to security researcher and developer “Six”, there is a Sonarqube portal on an EE subdomain, which EE uses to audit the code and discover vulnerabilities across its website and customer portal. However, it had not changed the default password from “admin”, reported ZDNet. “Access to this allows malicious hackers to analyze source code and identify vulnerabilities within,” Six said. “Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more.” A spokesperson later told ZDNet that the company had changed the password and that the service was pulled offline while the company investigates, and that the portal was a tool used by the company's web development team to quality check its code. The spokesperson said: “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team. “We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We're conducting a thorough investigation to make sure this does not happen again.” Luis Corrons, security evangelist at Avast Software, told Infosecurity that this is a “clear example of how inadequate security guidelines put companies in jeopardy,” but he welcomed the news that there was a password at all - although using default passwords is one of the major security risks we face nowadays. “We have seen cases before where personal data has been made publically available due to the absence of proper protection,” he said. “A prime example is the case last year in the US where three marketing companies working for the Republican Party published a database online with information on about 198 million registered voters. Anyone could download the full database because there were no security measures in place.”

Spotlight

Other News

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More