Rogers’ internal passwords and source code found open on GitHub

Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform.

Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found.

He suspects the code belonged to a developer who has left the telco.

Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery, after which the news site contacted Rogers.

One problem is the code he saw describes data payloads and how it goes between databases and web services.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”

But in an interview with IT World Canada this morning Coulls said the problem is worse. Earlier today he discovered five more open folders on GitHub apparently with Rogers’ customer data.

“It has device identifier, customer’s phone number, how much they paid for it, how much Rogers paid in subsidies, what is on their plan. By most definitions that is a breach. It’s not a big one, but it’s a breach,” he said.

UPDATE: Late this afternoon Sarah Schmidt, Rogers director of public affairs, issued this statement to ITWC: “With respect to the links we have analyzed [on GitHub] to date, we have found very limited disjointed pieces of information that do not identify specific customers, and the links are being removed.”

The statement didn’t specify, but an update to the Register story now includes a link to an application made by Rogers to take down two GitHub repositories with proprietory information created by ex-employees.

 “With respect to the code and private keys for the web-based application we have analyzed,” the statement goes on, “they have been obsolete for many years, and of the closed back-office applications we have reviewed to date, they are not accessible on the internet and the passwords to access them are disabled.”

Coulls often hunts GitHub looking for unprotected data belonging to Canadian banks so they can be warned.

Last September he accused Scotiabank of poor security after discovering someone had left bank application source code and private login keys to backend systems open on GitHub repositories.

Canadian banks are among the companies that aren’t tough enough on internal developers or contractors who are hired for application work, he said, and major firms should forbid developers from posting code on external repositories like Github.

In addition, Coulls is adamant that IT security teams need to be more aggressive in searching not only their own sites but sites like Github for unsecured applications.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now