Sensitive data from major Canadian firm Rogers Communications was found sitting open on the GitHub developers platform. The obsolete code–originating from 2015–was soon removed from GitHub shortly after being discovered.
According to a new report from The Register, security researcher Jason Coulls discovered two open GitHub accounts with Rogers’ application source code, internal user names and passwords, and private keys. No customer data was found, explains the report.
Coulls said that he suspects the code belongs to a former Rogers Communications developer.
“This kind of information, along with source code to skim for security bugs, is a boon for miscreants casing the telco to compromise it,” reads the report. “These details may have already been exploited by criminals, or may prove useful for future attacks. It’s also a reminder that engineers and management must take all precautions to avoid pushing private company code to public repositories.”
Coulls — who previously discovered internal materials from Scotiabank on the same website — said that in addition to rogers.com source code, the information also contained credentials for deployment systems and Oracle-supplied gear.
“Putting the Apache Cassandra configs, Oracle credentials, WebLogic server password, and crypto keys in the open takes that error to a level that I find disturbing,” he told us.
“What concerns me now is having seen this, it leaves me with lots of questions, such as, how many other systems share the same exposed crypto keys, or sit on the same WebLogic server?”
The security researcher also explained that the code could be analyzed by bad actors to root out potential weaknesses in the company’s website.
“Having now seen Rogers’ standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time,” said Coulls. “That way their developers can never accidentally check credentials into a repository with the code.”
In response to the security researcher’s discoveries, Rogers has downplayed the risk of the leak, noting the code was old and is no longer accessible on GitHub.
In a statement, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”
Update Jan. 27, 8:13pm: Added more information to the story to note code was obsolete and from 2015, and no longer available on GitHub.