UK cell giant EE left a critical code system exposed with a default password
EE, the largest cell network in the UK with some 30 million customers, has secured a critical code repository after a security researcher found anyone could log in with the default username and password. An anonymous security researcher, who goes by the handle Six and is founder of Project Insecurity, discovered a Sonarqube portal on an EE subdomain, which the cell giant uses to audit the code and discover vulnerabilities across its website and customer portal. But EE hadn’t changed the default password on the the downloadable portal software — ‘admin’ for both the username and password.
That let the security researcher access the bulk of the company’s code repository — some two million lines of code, including access to the company’s private employee and developer APIs and Amazon Web Services secret keys. He said that obtaining those keys could let a malicious hacker gain a greater foothold into the company’s storage buckets, web servers, and other sensitive data, like debug logs.