Twitter links are annoying submissions because they rarely provide any useful insight and aim more for sensationalism. I’d much rather see a CVE on this, for example. I don’t want Lobste.rs to be a source for news.
“Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL. […] thus I was able to download their repo. The wordpress config (wp-config.php) was in the repository. That config file contains the database/mysql username/password. […] But the database was running on localhost - so it’s not a big deal. Well, except if they have a phpmyadmin interface open to the public. Which they had.”
“Great, so there are a whole load of XSS vulnerabilites on their site.
Interesting thing is, that the Telekom in Germany did exclude XSS vulnerabilites from their bug bounty program scope in 2013. Guess it were too much to pay.”.
“Customer service agents see only parts of customers‘ passwords which are safely stored in encrypted databases via industry standard encryption algorithm […] ^Helmut @ojour”.
Okay, enough fun for today.
“We are also using one-time-PINs for customer authentication and are evaluating voice biometrics.”
Why not blockchain technology?
Sorry, couldn’t help myself.
This idea that a company who can’t even implement a basic user/password authentication system should be trusted with user biometric data is scary.
I wish people would stop dogpiling on customer service reps that probably get minimum wage to respond to crap on social media. They have no idea. Don’t make fun of them. Escalate to the TMobile security team if you have an issue. Nobody on social media will be able to solve this problem.
TMobile deserves everything that has been thrown at them. Both their IT system and their public response (thought this PR person) have been unacceptable.
The fact that this employee might be paid minimum wage or doesn’t know tech does not excuse TMobile’s behavior in any way. This person is officially representing the company. It doesn’t matter if it’s the CEO, a minimum wage worker, or some AI bot. What matters is what was said.
As an employee, this person has caused a PR catastrophe, and not because of not knowing tech, but because of failing at their PR job. Yes, as a PR person you are not expected to know tech, but you are supposed to know diplomacy and know when to ask other people. This person (and several others) have arrogantly mocked and taunted tech savvy users. That is never acceptable.
Of course that TMobile is guilty of giving someone a level of power and responsibility they could not handle, but after this event it would be insane for TMobile to keep this person in this position. I’m not saying they should fire anyone, as I said, it’s TMobile’s fault they hired the wrong person, but they should definitely hire a replacement and give this person something else to do.
Twitter links are annoying submissions because they rarely provide any useful insight and aim more for sensationalism. I’d much rather see a CVE on this, for example. I don’t want Lobste.rs to be a source for news.
Indeed. Twitter is very seldom a good format for nuanced discussion or debate.
It is a good platform for getting a public response from a large company though.
Sure, this is probably a “social media rep” without enough technical knowledge, who should have escalated the question to someone else.
But, it exposes these sort of issues quite well.
That is assuming that Twitter doesn’t load for a minute before failing to display the actual thread…
Hahaha: ”@Korni22 What if this doesn’t happen because our security is amazingly good? ^Käthe”
Famous last words?
No, your security is not “amazingly good” if you store passwords in plain text!
Oh my god, this is pure comedy:
“Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL. […] thus I was able to download their repo. The wordpress config (wp-config.php) was in the repository. That config file contains the database/mysql username/password. […] But the database was running on localhost - so it’s not a big deal. Well, except if they have a phpmyadmin interface open to the public. Which they had.”
The gift that keeps on giving, their page suffers from XSS!
“Great, so there are a whole load of XSS vulnerabilites on their site. Interesting thing is, that the Telekom in Germany did exclude XSS vulnerabilites from their bug bounty program scope in 2013. Guess it were too much to pay.”.
And facepalm!
“Customer service agents see only parts of customers‘ passwords which are safely stored in encrypted databases via industry standard encryption algorithm […] ^Helmut @ojour”.
Okay, enough fun for today.
“We are also using one-time-PINs for customer authentication and are evaluating voice biometrics.”
Why not blockchain technology?
Sorry, couldn’t help myself.
This idea that a company who can’t even implement a basic user/password authentication system should be trusted with user biometric data is scary.
Oh boy, I said I won’t do any more edits, but here is the software stack.
Kernel 2.6.18, compiled in 2011, so RHEL 5.6
PHP 5.1.6, from 2006.
Apache 2.4.18, affected by multiple CVE.
And no, these PHP and Apaches don’t have backported patches, as RHEL 5.6 support has ended in 2013.
I wish people would stop dogpiling on customer service reps that probably get minimum wage to respond to crap on social media. They have no idea. Don’t make fun of them. Escalate to the TMobile security team if you have an issue. Nobody on social media will be able to solve this problem.
Shouldnt the customer service rep escalate this, rather than responding “I really do not get why this is a problem” if they have no idea?
TMobile deserves everything that has been thrown at them. Both their IT system and their public response (thought this PR person) have been unacceptable.
The fact that this employee might be paid minimum wage or doesn’t know tech does not excuse TMobile’s behavior in any way. This person is officially representing the company. It doesn’t matter if it’s the CEO, a minimum wage worker, or some AI bot. What matters is what was said.
As an employee, this person has caused a PR catastrophe, and not because of not knowing tech, but because of failing at their PR job. Yes, as a PR person you are not expected to know tech, but you are supposed to know diplomacy and know when to ask other people. This person (and several others) have arrogantly mocked and taunted tech savvy users. That is never acceptable.
Of course that TMobile is guilty of giving someone a level of power and responsibility they could not handle, but after this event it would be insane for TMobile to keep this person in this position. I’m not saying they should fire anyone, as I said, it’s TMobile’s fault they hired the wrong person, but they should definitely hire a replacement and give this person something else to do.
That thread was scary - but I don’t believe it warrants a submission on Lobste.rs