No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down
'Closed source' blueprints available for all to gawp at – and potentially exploit
Updated Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian telecoms giant Rogers have been found sitting on the open internet.
The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered various components of Rogers.com. The materials are marked "closed source" and copyright Rogers, yet can be found on the web if you know where to look. Details of and credentials for services and systems on the ISP's internal networks are included.
This kind of information, along with source code to skim for security bugs, is a boon for miscreants casing the telco to compromise it. These details may have already been exploited by criminals, or may prove useful for future attacks. It's also a reminder that engineers and management must take all precautions to avoid pushing private company code to public repositories.
It should be noted that no customer information nor account details – beyond the names, passwords, and email addresses of some members of the ISP's web development team – are present in the public code repository. The web app blueprints date back to 2015, so just how much of this code remains in production is unclear. One hopes the passwords and keys have been replaced over the past five years, at least.
With any luck, this may well be more of an embarrassment to one of Canada's biggest broadband'n'telly telcos than anything else.
After we alerted Rogers' media handlers to the exposed trove, we noticed certain parts of the telco's dot-com – such as its login page for business customers – were marked as being "in maintenance mode." On the other hand, we gather the Rogers' website routinely goes in and out of this feature-limited mode so it could just be a coincidence.
The info silo was found by Canada-based techie and security researcher Jason Coulls, who tried to tip off Rogers about the matter without much success. We've also not heard back from the ISP nor the engineer who owns the offending repository – which remains live, so we won't link to it.
Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHubREAD MORE
Coulls, who previously discovered Scotiabank's internal materials exposed on GitHub, told El Reg on Thursday that, in addition to the Rogers.com source code, the repository includes credentials for deployment systems, and Oracle-supplied gear.
"Putting the Apache Cassandra configs, Oracle credentials, WebLogic server password, and crypto keys in the open takes that error to a level that I find disturbing," he told us.
"What concerns me now is having seen this, it leaves me with lots of questions, such as, how many other systems share the same exposed crypto keys, or sit on the same WebLogic server?"
Coulls also noted the code could be analyzed by hackers to root out potential weaknesses in the ISP's website.
"Having now seen Rogers’ standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time," said Coulls. "That way their developers can never accidentally check credentials into a repository with the code."
The incident should serve as a warning to all on the importance of keeping track of where source code is kept and who has access to it. While we're seen plenty of poorly secured cloud databases and storage buckets leaking data, code-hosting platforms can also be inadvertently configured by users to expose company secrets and pose a significant security risk if not properly managed.
Updated to add
In response to this story, Rogers has played down the risk.
"Code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk," a spokesperson told us.
"The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity."
Nonetheless, the repository – and another two found overnight containing Rogers' internal materials – have been removed from GitHub after the telco filed a DMCA takedown against the public code silos following our investigation.
The spokesperson also claimed the "maintenance was part of our regular schedule." ®