| > @Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe Famous last words? No, your security is not "amazingly good" if you store passwords in plain text! This is pure comedy[1]: > Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL. [...] thus I was able to download their repo. The wordpress config (wp-config.php) was in the repository. That config file contains the database/mysql username/password. [...] But the database was running on localhost - so it's not a big deal. Well, except if they have a phpmyadmin interface open to the public. Which they had. And it keeps on giving, there are a bunch of XSS vulns in their web site[2]: > Great, so there are a whole load of XSS vulnerabilites on their site.
Interesting thing is, that the Telekom in Germany did exclude XSS vulnerabilites from their bug bounty program scope in 2013. Guess it were too much to pay. Oh boy[3]: > Customer service agents see only parts of customers‘ passwords which are safely stored in encrypted databases via industry standard encryption algorithm [...] ^Helmut @ojour So they can't hash passwords, but they want to do biometrics: > We are also using one-time-PINs for customer authentication and are evaluating voice biometrics. This idea that a company who can't even implement a basic user/password authentication system should be trusted with user biometric data is scary. Here is the software stack[4]: Kernel 2.6.18, compiled in 2011, so RHEL 5.6 PHP 5.1.6, from 2006. Apache 2.4.18, affected by multiple CVE. I don't believe these PHPs and Apaches have any backported patches, as RHEL 5.6 support has ended in 2013. Can anyone confirm this? The really sad thing about this is that T-Mobile's competitors (in Austria) are not any better. A1 also stores passwords in plain text, and I got reports that Drei does that too (although couldn't confirm as of yet). [1] https://twitter.com/hanno/status/982530301024002048?s=19 [2] https://twitter.com/fabricio_giglio/status/98236273592413798... [3] https://twitter.com/tmobileat/status/982394129249460226 [4] https://twitter.com/Pips801/status/982378530792136706 |