Security and (Orange.fr) Passwords
Holding a position as an incumbent or primary telecom carrier bestows certain monopoly-ish benefits including limited (or no) competition in connection choices to homes and certain businesses. A person representing a home or business needs a phone or cable connection in order to obtain a connection to the Internet.
This privileged position implies a certain duty of care for their customers by the carriers. That duty, however, is sometimes misplaced. For example, storing customer passwords in the clear, as text that anyone could read, is not a “best practice” in security circles. It came as a shock that TrendMicro wrote of about this practice by noted telecom company Orange (Telecom) in France:
The showstopper however is the vulnerability on the orange.fr website which was posted today. According to 2fingers over at HackersBlog a SQL injection vulnerability was discovered by fellow hacker Unu, that exposes not only the account details of almost a quarter of a million customers, but also their passwords in clear text…
Why is this important? The article continues:
Recently published research showed that 61% of people use the same password for multiple sites, so this kind of compromise represents real risk for many people.
HackersBlog state that they have alerted the folks over at orange.fr but have not yet received a response.
If Orange was truly storing passwords in a clear text file, the rest of their security practices should rightly be questioned. This practice applies to all providers: take care, use best practices to protect your customers.
This post should also serve as a reminder to everyone that’s a customer of an Internet Service Provider: periodically change and protect your passwords.