Severe T-Mobile Austria Website Bug Fixed After Company’s Social Team Touted ‘Amazingly Good’ Security

It’s the weekend, so there’s no better time to hear a great story about awful security, and even worse company responses. After someone questioned T-Mobile Austria about customer passwords being stored in plaintext, a couple of company social reps revealed their complete misunderstanding of computer security, and perhaps how community relations should be handled.

T-Mobile Austria at T-Center in Vienna; Wikipedia Credit: Ninanuri

The first response didn’t clarify much, aside from admitting that the passwords are in fact unencrypted:

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea

— T-Mobile Austria (@tmobileat) April 4, 2018

That response should make anyone cringe, but believe it or not, they became even worse. One employee claimed that T-Mobile Austria’s security is so good, there’s simply no need to worry about completely unsecured passwords sitting on its servers. Keep that in mind as you read on.

Security breaches unfortunately happen all of the time, and in an overwhelming number of cases, hashed passwords are leaked, not plaintext ones. While every breach that affects you should cause you to change your password, hashed passwords add a time cushion, and chances are good that you are not going to be special enough for someone to dedicate the resources needed to crack your password. So imagine if plaintext passwords were leaked. In one of these cases, some hashed passwords from the list might match a known password, but in the other, every single customer password would just be sitting there, waiting to be copy and pasted elsewhere.

@Korni22 Excuse me? Do you have any idea how telecommunication companies work? Do you know anything about our systems? But I'm glad you have the time to share your view with us. ^Käthe

— T-Mobile Austria (@tmobileat) April 6, 2018

This isn’t just a tale of poor customer service from a social team, though; it’s also a reminder of just how poor the security infrastructure at some major companies continues to be. Following the ousting of the plaintext issue, security researcher Hanno Böck revealed just how bad things were at T-Mobile Austria – but only after the vulnerabilities were fixed.

Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL.

— hanno (@hanno) April 7, 2018

On three of T-Mo Austria’s subdomains, WordPress blogs were managed via a git repository. That meant that anyone who gained access to that repo would likewise gain access to every bit of source code related to the website. That includes the WordPress wp-config.php configuration file, which stores the database username and password in plain text. Here’s the best part: by simply adding “.git/config” to the end of these respective URLs, Böck could download the entire repo.

Given the security risks of that issue, it feels like T-Mobile Austria dodged a bullet after making a fool of itself on Twitter, because it ultimately led to an even more serious bug being squashed. T-Mo is lucky a security researcher with no ill intent decided to find the flaw before someone malicious did.

Our comment on posts about password security @tmobileat: There is no data breach at T-Mobile Austria. Databases are encrypted and secured. However, we take the discussion about our security standards very serious and will take further steps for protection as necessary. ^Helmut

— T-Mobile Austria (@tmobileat) April 7, 2018

Since this went down, T-Mobile Austria issued an update (seen above), stating that no security breach has taken place, and that the company will look for further steps to continue improving its security. Based on what we know so far, there’s an awful lot of work that needs to be done.