EE accused of ignoring warnings over exposure of two million lines of system code

Exposure shows EE pushing code to production that it knows contains 100+ vulnerabilities

BT-owned mobile network EE has been accused of exposing two million lines of critical system code and ignoring a security expert's exposure of the company's lax practices - until it was publicly embarrassed.

A hacker could, the security expert claimed, use the exposed code to analyse EE's payment systems and find further security flaws "that could lead to [the] theft of payment information" - although the exposed code also contained API and Amazon Web Services (AWS) keys that could be exploited by attackers.

The code was uncovered by an anonymous teenage security specialist, who posts on Twitter under the handle @lol_its_six. The researcher claimed to have discovered the code on a Sonarqube portal on an EE subdomain used to audit code and, ironically perhaps, to uncover vulnerabilities on its website and customer portal.

The portal had been protected solely by a default user name and password, the research claimed.

https://twitter.com/lol\\_its\\_six/status/994608947343618049?ref\\_src=twsrc%5Etfw

"After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an 'admin:admin' user/pass combination," the researcher tweeted.

The tweets continued: "Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually, there's no need, since you can just view the code and take AWS keys, API keys, and more."

They also claimed that the company had knowingly pushed into production code that nevertheless contained as many as 167 vulnerabilities.

However, in a statement to ZDNet, EE claimed that no customer data had been at risk and that code is routinely put through more processes before it goes into production.

https://twitter.com/lol\\_its\\_six/status/994609456590843905?ref\\_src=twsrc%5Etfw

"Our final code then goes through further checks, processes, and review from our security team before being published. This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team."

Naturally, of course, the spokesperson claimed that they "take the security of our customer data extremely seriously" and added that the company had finally instigated an investigation "to make sure this does not happen again".