Select Page

Rogers’ internal passwords and source code found open on GitHub

Rogers’ internal passwords and source code found open on GitHub

Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform.

Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found.

He suspects the code belonged to a developer who has left the company.

Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery.

One problem is the code he saw describes data payloads and how it goes between databases and web services.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”

About The Author

Leave a reply

Your email address will not be published. Required fields are marked *

Human Verification: In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.