It’s the weekend, so there’s no better time to hear a great story about awful security, and even worse company responses. After someone questioned T-Mobile Austria about customer passwords being stored in plaintext, a couple of company social reps revealed their complete misunderstanding of computer security, and perhaps how community relations should be handled.
T-Mobile Austria at T-Center in Vienna; Wikipedia Credit: Ninanuri
The first response didn’t clarify much, aside from admitting that the passwords are in fact unencrypted:
That response should make anyone cringe, but believe it or not, they became even worse. One employee claimed that T-Mobile Austria’s security is so good, there’s simply no need to worry about completely unsecured passwords sitting on its servers. Keep that in mind as you read on.
Security breaches unfortunately happen all of the time, and in an overwhelming number of cases, hashed passwords are leaked, not plaintext ones. While every breach that affects you should cause you to change your password, hashed passwords add a time cushion, and chances are good that you are not going to be special enough for someone to dedicate the resources needed to crack your password. So imagine if plaintext passwords were leaked. In one of these cases, some hashed passwords from the list might match a known password, but in the other, every single customer password would just be sitting there, waiting to be copy and pasted elsewhere.
This isn’t just a tale of poor customer service from a social team, though; it’s also a reminder of just how poor the security infrastructure at some major companies continues to be. Following the ousting of the plaintext issue, security researcher Hanno Böck revealed just how bad things were at T-Mobile Austria – but only after the vulnerabilities were fixed.
On three of T-Mo Austria’s subdomains, WordPress blogs were managed via a git repository. That meant that anyone who gained access to that repo would likewise gain access to every bit of source code related to the website. That includes the WordPress wp-config.php configuration file, which stores the database username and password in plain text. Here’s the best part: by simply adding “.git/config” to the end of these respective URLs, Böck could download the entire repo.
Given the security risks of that issue, it feels like T-Mobile Austria dodged a bullet after making a fool of itself on Twitter, because it ultimately led to an even more serious bug being squashed. T-Mo is lucky a security researcher with no ill intent decided to find the flaw before someone malicious did.
Since this went down, T-Mobile Austria issued an update (seen above), stating that no security breach has taken place, and that the company will look for further steps to continue improving its security. Based on what we know so far, there’s an awful lot of work that needs to be done.