T-Mobile Austria customer service can access the first four characters of your password. They ask for your password over the phone for security purposes.
This indicates they are potentially storing passwords in plaintext or at the very least the first four characters.
I'm shocked by how Käthe of T-Mobile Austria responded. I would be surprised if she keeps her job.
> Excuse me? Do you have any idea how telecommunication companies work? Do you know anything about our systems? But I'm glad you have the time to share your view with us. ^Käthe
Scroll up in the thread if you want more context. I only ready down and it was very confusing.
This conversation started because someone found out that customer service had access to their plaintext passwords. Starting the conversation at the point the link goes to makes it sound (to me at least) that this is just some hypothetical and there is no way they really store their password this way.
> Had the same issue with T-Mobile Austria. Apparently they are saving the password in clear because employees have access to them (you have tell them your password when you're taking to them on the phone or in a shop) and they are not case sensitive
Amazing is a good word to describe this. If this is not an invitation to a challenge, I don't know what is. Some poor pr dude at the t-mobile, and some devs are about to get a big life lesson.
T-mobile US came in later in the thread to clarify that they’re not storing passwords in plaintext. This is kinda fun, I guess, but arbitrating this with one arm of a multinational company over Twitter kinda yielded predictable results.
> @Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe
Famous last words?
No, your security is not "amazingly good" if you store passwords in plain text!
This is pure comedy[1]:
> Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL. [...] thus I was able to download their repo. The wordpress config (wp-config.php) was in the repository. That config file contains the database/mysql username/password. [...] But the database was running on localhost - so it's not a big deal. Well, except if they have a phpmyadmin interface open to the public. Which they had.
And it keeps on giving, there are a bunch of XSS vulns in their web site[2]:
> Great, so there are a whole load of XSS vulnerabilites on their site.
Interesting thing is, that the Telekom in Germany did exclude XSS vulnerabilites from their bug bounty program scope in 2013. Guess it were too much to pay.
Oh boy[3]:
> Customer service agents see only parts of customers‘ passwords which are safely stored in encrypted databases via industry standard encryption algorithm [...] ^Helmut @ojour
So they can't hash passwords, but they want to do biometrics:
> We are also using one-time-PINs for customer authentication and are evaluating voice biometrics.
This idea that a company who can't even implement a basic user/password authentication system should be trusted with user biometric data is scary.
Here is the software stack[4]:
Kernel 2.6.18, compiled in 2011, so RHEL 5.6
PHP 5.1.6, from 2006.
Apache 2.4.18, affected by multiple CVE.
I don't believe these PHPs and Apaches have any backported patches, as RHEL 5.6 support has ended in 2013. Can anyone confirm this?
The really sad thing about this is that T-Mobile's competitors (in Austria) are not any better. A1 also stores passwords in plain text, and I got reports that Drei does that too (although couldn't confirm as of yet).
https://twitter.com/fabricio_giglio/status/98236273592413798...