For the second time this week, U.K. phone giant EE has fixed a security lapse, which allowed a security researcher to gain access to an internal site.
The researcher, who goes by the pseudonym Six, found the company’s internal training site indexed on Google. (We’re not linking to the page as it remains an active site.) Although the site required an employee username and password to log in, the researcher found that an “admin” account existed, of which anyone with the answer to the secret question could reset the password.
It turns out that secret question could have been stronger.
“What is your eye color,” the researcher told TechCrunch. “I tried loads of colors and they all give an error,” he said. “The answer was simply ‘brown,’” he said.
From there, he gained access to the entire internal training site.
EE is the largest phone network in the U.K. with more than 30 million users.
TechCrunch reported the security lapse to the company on Wednesday. A spokesperson for EE said a fix was implemented early Thursday, and thanked the researcher.
“This account has now been disabled and we have also changed the password and security question for the account,” said a spokesperson. “No customer data is, or has been, at risk as the user account on the training website only gave access to a dummy environment with fake accounts.”
But the researcher disputed part of EE’s response, accusing the company of downplaying the security incident.
The researcher shared several screenshots with TechCrunch of the site. According to the site’s login page, the portal is the “home of training” for all EE staff. Employees are given access in the first week of their start date, and can access the site for the first time with a password which is their “surname all in lower case.”
Some screenshots showed dummy data, but others showed course content and employee knowledge base resources. He said that he had access to training on linked organizations, including Orange and Plusnet.
Although the researcher found no employee or customer data, he said the admin account allowed him to grant himself “any permissions” he wanted, and change the access of any other group of users, he said.
“I didn’t do any of that because of the law, but that doesn’t mean a malicious attacker couldn’t have done it,” he said.
Earlier this week, EE fixed a vulnerability that allowed customers to gift their own or linked accounts unlimited data for free. The company fixed the bug within two days.