The code repository contained 2 1000000 lines of code across EE’s website together with client portal, including access to the company’s individual employee together with developer APIs together with Amazon Web Service (AWS) clandestine keys, revealed a teenage safety researcher.
The safety researcher going past times the Twitter grip of “six” who is also the founder of Project Insecurity, institute a Sonarqube portal (an opened upwards source platform developed past times SonarSource) on an EE subdomain, which the prison theatre cellphone giant uses to audit the code together with uncovering vulnerabilities across its website together with client portal.
He said that obtaining those keys could allow a malicious hacker hit a greater foothold into the company's storage buckets, spider web servers, together with other sensitive data, similar debug logs. The hacker could analyse the code of their payment systems, together with honor major holes that could Pb to theft of payment information.
"You trust these guys amongst your credit bill of fare details, spell they produce non attention close security or client privacy," he said inward a tweet.
Luke Brown, VP EMEA at company safety specialists WinMagic said inward an emailed statement: “We’ve seen quite a disclose of incidents these past times few months where information has been left exposed on servers together with open-source tools, simply to conduct keep kept the default password on a repository created to audit code for flaws together with vulnerabilities…. The irony won’t endure lost on anyone! ”
He added: “That a companionship every bit reputable every bit EE could conduct keep made this error underlines the importance of proper configuration together with safety for whatever world facing services. It should also serve every bit a reminder that nether the shared responsibleness model of cloud security, responsibleness for information stored inward these repositories falls to the organisation, non the cloud provider. As a result, the require for consistent policies, password rules together with specialised information encryption administration has never been greater.”
An EE spokesperson said: "No client information is, or has been, at risk."
