2 million lines of source code left exposed by phone company EE

EE, which at 30 million customers is the UK’s largest mobile network, was formerly known as Everything Everywhere.

Unfortunately, the name has proved prescient: it reportedly did, in fact, leave everything for anyone anywhere to find by non-securing a critical code repository so that anyone could log in with the default username and password. As in, “admin” was both the user name and password for getting into the downloadable portal software, according to a security researcher with the Twitter handle “Six”.

As first reported by ZDNet, on Thursday, Six tweeted a screen capture that he said shows (redacted) access keys to authorize EE’s employee tool. “You trust these guys with your credit card details, while they do not care about security, or customer privacy,” Six said.

The researcher said that after waiting “many many weeks” for a reply from the company, he decided to publicly disclose the vulnerability. His motive was reportedly to “educate the wider masses about security, and how overlooked it is across the industries.”

The code repository contained two million lines of the source code behind EE’s systems, including systems that contained employee data.

Six said that he had discovered a SonarQube portal on an EE subdomain. SonarQube is an open-source platform that offers continuous code auditing to perform automatic reviews and which EE uses to seek out vulnerabilities across its website and customer portal.

The security researcher said that this type of default-password glitch could allow malicious hackers to comb through the code to identify vulnerabilities. But as Six points out, why even bother? Anybody could simply view what should have been private: namely, EE’s Amazon Web Services (AWS) keys, application programming interface (API) keys, and more.

That rates a negative 1 for not changing the default password, Six decreed, but a negative 2 for whoever allowed this code to get to production with a total of 167 vulnerabilities:

Unfortunately, leaving iffy source code open for modification like this means that unless it gets picked up in code review, that iffy code then becomes part of the official, production-level computer program.

What’s the likelihood that source code attacks would have resulted? Well, this isn’t the first time that people have wanted answers on that question. In 2013, one of Adobe’s network security breaches reportedly included the theft of 40GB of its source code.

At the time, Naked Security’s Paul Ducklin had some thoughts on that. Yes, it brings risk, but developing attacks from source codes is arduous – you have to walk, step by step, through a program to figure out what it’s doing.

At any rate, ZDNet quoted an EE spokesperson who said that “No customer data is, or has been, at risk.” Its code goes through the SonarQube quality check, after which it “goes through further checks, processes, and review from our security team before being published,” the spokesperson said.

This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.

ZDNet’s Zack Whittaker said that Six shared several screenshots taken from within the portal. He also noted that ZDNet itself couldn’t independently verify that “admin” was the portal’s login credentials – at least, not legally, given that it would require actually logging in.

An EE spokesperson later told ZDNet that the company had changed the password and that the service was pulled offline while the company investigates.