View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

EE on Critical Code Exposure: Embarrassing but No Harm Done

So "admin" and "admin" are never a great user/pw combination...

By CBR Staff Writer

Mobile giant EE says that exposure of a critical code repository revealed by a teenage security researcher left no customer data at risk.

The company, which has over 30 million UK customers, was put on the back foot this morning after the security researcher, who goes by the handle Six, found that the company hadn’t changed the default username and password on the open source SonarQube platform, used by EE to audit code for vulnerabilities.

Both were still “admin”.

That gained Six access to the company’s private employee and developer APIs, as well as the company’s Amazon Web Service logins.

https://twitter.com/lol_its_six/status/994608947343618049

Luke Brown, VP EMEA at enterprise security specialists WinMagic said in an emailed statement: “We’ve seen quite a number of incidents these past few months where data has been left exposed on servers and open-source tools, but to have kept the default password on a repository created to audit code for flaws and vulnerabilities…. The irony won’t be lost on anyone! ”

He added: “That a company as reputable as EE could have made this mistake underlines the importance of proper configuration and security for any public facing services.  It should also serve as a reminder that under the shared responsibility model of cloud security, responsibility for data stored in these repositories falls to the organisation, not the cloud provider. As a result the need for consistent policies, password rules and specialised data encryption management has never been greater.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Company Fixes Portal, Thanks Researcher

EE said in a statement: “No customer data is, or has been, at risk. We have now changed the login credentials to our sonarqube development tool and have blocked all access while we investigate this issue.”

The company added: “This is just one of the tools used by our web development teams to quality check our code in development. Our final code then goes through further checks, processes and review from our security team before being published.”

“This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”

 

Bitglass‘s Steve Armstrong noted:Ideally, when organisations use public cloud platforms, a third-party security control should be implemented to enforce granular, contextual user access control.”

He added: “By focusing on factors such as the device, the user identity or geographic location of the login attempt, it is possible to implement controls such as step-up multi-factor authentication.  This can mitigate these issues in real time preventing an unauthorised user accesses the cloud service.  Applying multi-factor authentication to any application, even those which natively do not support the function, greatly reduces the risk of misconfigured cloud platforms.”

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU