EE, the largest cell network in the UK with some 30 million customers, has secured a critical code repository after a security researcher found anyone could log in with the default username and password.
An anonymous security researcher, who goes by the handle Six and is founder of Project Insecurity, discovered a Sonarqube portal on an EE subdomain, which the cell giant uses to audit the code and discover vulnerabilities across its website and customer portal.
But EE hadn’t changed the default password on the the downloadable portal software — “admin” for both the username and password.
That let the security researcher access the bulk of the company’s code repository — some two million lines of code, including access to the company’s private employee and developer APIs and Amazon Web Services secret keys. He said that obtaining those keys could let a malicious hacker gain a greater foothold into the company’s storage buckets, web servers, and other sensitive data, like debug logs.
“You trust these guys with your credit card details, while they do not care about security, or customer privacy,” he said in a tweet.
An EE spokesperson said: “No customer data is, or has been, at risk.”
Six said that one of the biggest dangers is that accessing the system allows a malicious hacker to exploit vulnerabilities in the source code.
“Malicious hackers could analyze the code of their payment systems, and find major holes that could lead to theft of payment information,” he said in another tweet.
The researcher published his findings in a series of tweets.
Six also shared several screenshots of inside the portal with ZDNet to confirm what he found. Asked of his motives, Six said he was “trying to educate the wider masses about security, and how overlooked it is across the industries.”
We couldn’t independently verify that the portal’s credentials were both “admin” without logging in — which would be illegal under both US and UK law. For that reason, we’re not naming the researcher who discovered the flaw. When we reached EE for comment, we told them of the default password. A spokesperson later told ZDNet that the company had changed the password and that the service was pulled offline while the company investigates.
The spokesperson said the portal was a tool used by the company’s web development team to quality check its code.
“Our final code then goes through further checks, processes, and review from our security team before being published,” the spokesperson said. “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”
“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again,” the spokesperson said.