[ice3]

So this issue affects Telia Lithuania clients. But I wouldn't be surprised if the same (or similar) issue affects clients in Sweden.

The article mentions a leaked password hash from 2014, but as far as I know, there were at least 3 password (not hash!) leaks over the last 10 years.

Generally, I recommend people buy their own routers and never use the "Self Service" for managing passwords.

As for hostility of service providers - the situation isn't that good.

Some years ago, a white hat reported some data leak vulnerabilities in a medical "self service" portal.

Vulnerability: change your personal code/id (SSN for folks in US) to another person's number in the POST, and voila - you get the medical history of another person.

What happened is that the white hat got blamed for "hacking" that system.

Result: Vulnerabilities aren't getting reported. Bad guys are exploiting them left and right. White hats don't bother disclosing them.

I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

EDIT: grammar

[user5994461]

>>> I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

I can tell you from experience, the only way to reliably get a vulnerability fixed is to publish on Twitter.

Of course if you've got vulnerabilities in government sites and power plants, you may prefer to not disclose to twitter to avoid harm to the public. Sitting on vulnerabilities in the absence of alternative is a perfectly ethical and reasonable choice.

[corty]

> I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

Thats what full disclosure is for. Drop the vuln somewhere via Tor, maybe point someone there via some anonymous comunique. Et voila, you made the world a safer and better place.

Imho sitting on vulnerabilities is immoral as long as anonymous full disclosure is possible.

[Nextgrid]

This might be dangerous if you initially planned to disclose responsibly and did the research/testing of the vulnerability without anonymization. In that case if you were to release the vulnerability anonymously and it wasn't exploited before they could still figure out that you did it by examining the logs and finding your early non-anonymous attempts.

[ice3]

Right, and there's no possibility to do research/testing anonymously anyway. You use your personal e-Signature/ID card to logon to government sites, your logon is always tied to you.

[willcipriano]

It's possible that the programmers who built the system are really bad at security and really good at audit logging but I doubt it. Personally I would take the risk but I understand why others might not want to.

[Mandatum]

One of the first things I've recommended with systems that deal with PII or secret data is to see if the vulnerability being reported or discovered has been exploited in the past.

Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..

I wouldn't take that risk.

[Mandatum]

I work for one of the big SaaS providers. Their internal response to this stuff requires me to fill in forms and sign a bunch of shit, as well as exchange emails and enter MFA codes - it ends up taking about 30 mins to 1 hour of back-and-forth (over a period of about a week because timezones - they obviously leave this process management stuff to where labour is cheap).

I did it once, I've found probably 10 other issues with customers, partners and our own products that I won't be reporting since I have to go through that process every time with my employer.

There is no benefit to me for reporting it aside from an automated thank you message when they close a ticket.

I'd submit/advise anonymously but I usually discover this stuff in a way they can trace it back to me.

So instead, my data as well as my customers, colleagues and good peoples data remains accessible to the internet.

I'm sorry for that.

[naavis]

Would the ability to anonymously disclose vulnerabilities help? I fear that disclosures like that would just be ignored, though.

[ice3]

What one should do is to involve the www.NKSC.lt - Nation Cyber Security Center. They have a form to submit vulnerabilities

I did send a few reports from throwaway email accounts, but the issues did not get resolved.

I suspect there's another way to go about it - if you're a Telia customer - send them GDPR Article 33 request.

[waihtis]

Do you have the self service thing in Sweden? Granted I’m not a telia customer here in FIN, but have never seen this kind of functionality on my own home routers. Plain router admin always.

[jacobush]

Telia routers in Sweden can be managed remotely from Telias web page. I don't mean port forward, but some other channel talk between admin tool on their website and the router. (You can also connect locally on the LAN and admin the router that way.)

Tangentially related Swedish bork:

https://medium.com/@rikardhjort/2-7-medical-calls-breached-i...

[scblzn]

It's the same with Telia Estonia.

And they use dropbear to connect to the router to do changes from remote/customer service/online customer portal, if you're curious (you can see it in logs of the router, Inteno ones)

[swinglock]

I couldn't find it on the web site, but I found something similar here:

https://apps.apple.com/se/app/telia-smart-wifi/id1459248896

https://play.google.com/store/apps/details?id=com.teliacompa...

They allow login with BankID (Swedish authentication system using Personal Identity Number) or a Telia login, implying I don't need the admin password printed on the back of the router so it ought to use the same type of backdoor I'd expect support personal has and the Lithuanian web site has.

Judging by the comments of both apps though, it seems it doesn't work at all... maybe they need to add more than 5 PHP workers.

[waihtis]

Well, it is risky hiring workers in Sweden.. if you don’t need them anymore it’s difficult to get rid of them!

[holmb]

This is just plain wrong. There are many ways to handle such a situation. One would be "visstidsanställning" which is employment for a pre-determined period.

[waihtis]

Funny how everyone missed the fact I was suggesting firing PHP workers, which are a background processes in PHP servers..

[ersii]

Sure, you can work around the labour laws in many ways, but he is likely referring to a normal full time employment contract as most people do when they talk about employment.

And he's not wrong in the figurative way, the labour laws are quite strict and the unions are in an impossibly strong standing in Sweden.

[SahAssar]

You can fire people if you don't need them (don't have enough work for them), that's called arbetsbrist and is the most common reason for firing people in sweden. You just can't turn around and hire other people for the same job right after.

[tpmx]

Observation: You're using the same kind of approach as the "I almost found a vulnerability" and "but I won't be disclosing them, since that will land me in a lot of trouble" as the submitted post does.

[ice3]

You're absolutely correct. And I completely understand the author's point of view.

By disclosing the vulnerability, I'd be taking a risk of a criminal investigation. This is not a joke. This has already happened at least once in Lithuania.

I have a job, one that has nothing to do with infosec, but I'd be risking that job if I had an ongoing criminal investigation.

[INTPenis]

That's very irresponsible of you. You just said that someone could read someone elses medical data and there you are sitting on similar vulnerabilities out of principle. Shame.

I know first hand that such big telcos are slow and bureaucratic. But they still need help and patience. They do after all have all the important government contracts.

[spydum]

I think we need the equivalent of the Good Samaritan law for the CFAA for this.