UK mobile operator EE left a critical code system exposed with a default password

Pierluigi Paganini May 13, 2018

The EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.

EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password.

The British mobile network giant EE has reportedly left a critical code repository on an open-source tool protected by default credentials.

The disconcerting discovery was made by a security researcher that uses the Twitter handle of “six,” he found two million lines of code including access to the company’s private employee and developer APIs and Amazon Web Services secret keys.

“One of the largest mobile networks in Britain, EE,  which is also owned by BT Group, was accused of risking the safety of a critical code repository due to bad security. Apparently, the company left the repository protected only by a default login info, according to one researcher.” reported the koddos.net website.

The availability of the keys could be exploited by attackers to analyze the code of the employee’s payment systems and discover vulnerabilities to exploit for malicious purposes.

According to the researcher, payment information, including credit card data, is at risk.

The code was exposed on the SonarQube open-source platform hosted on an EE subdomain that was used by the mobile network company to analyze code with the intent of discovering bugs and security vulnerabilities on their website.

According to the researchers, he notified the data leak EE several times for weeks, but the company did not reply.

“After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an ‘admin:admin’ user/pass combination,” six tweeted.

uk EE operator

A spokesman for the company contacted ZDNet criticized the research and his claims and tried to downplay the incident sustaining that none of the customer or payment data at risk.

According to the spokesperson later it is a development code that does not contain any information related to the production infrastructure

Anyway, the company had changed the password and that the service was taken offline.

“Our final code then goes through further checks, processes, and review from our security team before being published,” the spokesperson said. “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”

“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again,” the spokesperson told ZDNet.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – EE operator, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment