Rogers’ internal passwords and source code found open on GitHub

Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform.

Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found.

He suspects the code belonged to a developer who has left the company.

Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery.

One problem is the code he saw describes data payloads and how it goes between databases and web services.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”