Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian ISP Rogers have been found sitting on the open internet.
The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered the front-end for various parts of Rogers.com. The materials are marked "closed source" and copyright Rogers, yet can be found on the web if you know where to look. Details of and credentials for services and systems on the ISP's internal networks are included.
This kind of information, along with source code to skim for security bugs, is a boon for miscreants casing the telco to compromise it. These details may have already been exploited by criminals, or may prove useful for future attacks. It's also a reminder that engineers and management must take all precautions to avoid pushing private company code to public repositories.
It should be noted that no customer information nor account details - beyond the names, passwords, and email addresses of some members of the ISP's web development team - are present in the public code repository. The blueprints date back to 2015, so just how much of this code remains in production is unclear. One hopes the passwords and keys have been replaced in the past five years, at least.
With any luck, this may well be more of an embarrassment to one of Canada's biggest broadband telcos than anything else.
After we alerted Rogers' media handlers to the exposed trove, we noticed certain parts of the telco's dot-com - such as its login page for business customers - were marked as being "in maintenance mode." On the other hand, we gather the Rogers' website routinely goes in and out of this feature-limited mode so it could just be a coincidence.
The info silo was found by Canada-based techie and security researcher Jason Coulls, who attempted to tip off Rogers about the matter without much success. We've also not heard back from the ISP nor the engineer who owns the offending repository - which remains live, so we won't link to it.
Coulls, who previously discovered Scotiabank's internal materials exposed on GitHub, told El Reg on Thursday that, in addition to the source code, the repository includes credentials for deployment systems, and Oracle-supplied gear, such as WebLogic and what looks like Exadata installations.
"Putting the Apache Cassandra configs, Oracle credentials, WebLogic server password, and crypto keys in the open takes that error to a level that I find disturbing," he told us.
"What concerns me now is having seen this, it leaves me with lots of questions, such as, how many other systems share the same exposed crypto keys, or sit on the same WebLogic server?"
Coulls also noted that the code could also be analyzed by hackers to root out potential weaknesses in the ISP's website.
"Having now seen Rogers' standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time," said Coulls. "That way their developers can never accidentally check credentials into a repository with the code."
The incident should serve as a warning to all on the importance of keeping track of where source code is kept and who has access to it. While we're seen plenty of poorly secured cloud databases and storage buckets leaking data, code-hosting platforms can also be inadvertently configured by users to expose company secrets and pose a significant security risk if not properly managed. ®
Fluent, fluent everywhere but not a patch that works
I'll take a Big Mac, large fries and... um, are you OK?
Unfortunate timing - the Obama admin also supported the database giant
And that's one hell of a privacy agreement
Linux Foundation hears your gripes about naming schemes, legacy code, and more
It's not a bug, it's a feature, explains the Chocolate Factory
PARC, Apple and Amazon - computing pioneer dies at 74