EE left a critical code system exposed

EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password. The company has over 30 million UK customers.

The code repository contained two million lines of code across EE’s website and customer portal, including access to the company’s private employee and developer APIs and Amazon Web Service (AWS) secret keys, revealed a teenage security researcher.

The security researcher going by the Twitter handle of “six” who is also the founder of Project Insecurity, found a Sonarqube portal (an open source platform developed by SonarSource) on an EE subdomain, which the cell giant uses to audit the code and discover vulnerabilities across its website and customer portal.

He said that obtaining those keys could let a malicious hacker gain a greater foothold into the company's storage buckets, web servers, and other sensitive data, like debug logs. The hacker could analyse the code of their payment systems, and find major holes that could lead to theft of payment information.

"You trust these guys with your credit card details, while they do not care about security or customer privacy," he said in a tweet.

Luke Brown, VP EMEA at enterprise security specialists WinMagic said in an emailed statement: “We’ve seen quite a number of incidents these past few months where data has been left exposed on servers and open-source tools, but to have kept the default password on a repository created to audit code for flaws and vulnerabilities…. The irony won’t be lost on anyone! ”

He added: “That a company as reputable as EE could have made this mistake underlines the importance of proper configuration and security for any public facing services. It should also serve as a reminder that under the shared responsibility model of cloud security, responsibility for data stored in these repositories falls to the organisation, not the cloud provider. As a result, the need for consistent policies, password rules and specialised data encryption management has never been greater.”

An EE spokesperson said: "No customer data is, or has been, at risk."