
Amazingly Good Security - dfundako
https://twitter.com/tmobileat/status/982187919061303296?s=19
======
Artemis2
> Am I late for the T-Mobile party? @c_pellegrino, @tmobileat

[https://twitter.com/fabricio_giglio/status/98236273592413798...](https://twitter.com/fabricio_giglio/status/982362735924137984)

------
Blackstone4
T-Mobile Austria customer service can access the first four characters of your
password. They ask for your password over the phone for security purposes.

This indicates they are potentially storing passwords in plaintext or at the
very least the first four characters.

I'm shocked by how Käthe of T-Mobile Austria responded. I would be surprised
if she keeps her job.

> Excuse me? Do you have any idea how telecommunication companies work? Do you
> know anything about our systems? But I'm glad you have the time to share
> your view with us. ^Käthe

~~~
Blackstone4
Here's a link to the meme summary of the convo:

[https://twitter.com/jacobc/status/982348607658508289](https://twitter.com/jacobc/status/982348607658508289)

------
throwaway2016a
Scroll up in the thread if you want more context. I only ready down and it was
very confusing.

This conversation started because someone found out that customer service had
access to their plaintext passwords. Starting the conversation at the point
the link goes to makes it sound (to me at least) that this is just some
hypothetical and there is no way they really store their password this way.

> Had the same issue with T-Mobile Austria. Apparently they are saving the
> password in clear because employees have access to them (you have tell them
> your password when you're taking to them on the phone or in a shop) and they
> are not case sensitive

------
harel
Amazing is a good word to describe this. If this is not an invitation to a
challenge, I don't know what is. Some poor pr dude at the t-mobile, and some
devs are about to get a big life lesson.

------
awinder
T-mobile US came in later in the thread to clarify that they’re not storing
passwords in plaintext. This is kinda fun, I guess, but arbitrating this with
one arm of a multinational company over Twitter kinda yielded predictable
results.

~~~
c22
This must be a new policy, because back in 2008/2009 T-mobile US was able to
email my password to me.

------
Blackstone4
I would suggest changing the title to "T-Mobile Austria stores passwords in
plaintext?"

------
4ad
> @Korni22 What if this doesn't happen because our security is amazingly good?
> ^Käthe

Famous last words?

No, your security is not "amazingly good" if you store passwords in plain
text!

This is pure comedy[1]:

> Three of their subdomains (blog/kids/newsroom) were running wordpress blogs,
> the code managed via a git repository. You could download that git repo, you
> can test that by appending .git/config to the URL. [...] thus I was able to
> download their repo. The wordpress config (wp-config.php) was in the
> repository. That config file contains the database/mysql username/password
> __. [...] But the database was running on localhost - so it 's not a big
> deal. Well, except if they have a phpmyadmin interface open to the public.
> Which they had.

And it keeps on giving, there are a bunch of XSS vulns in their web site[2]:

> Great, so there are a whole load of XSS vulnerabilites on their site.
> Interesting thing is, that the Telekom in Germany did exclude XSS
> vulnerabilites from their bug bounty program scope in 2013. Guess it were
> too much to pay.

Oh boy[3]:

> Customer service agents see only parts of customers‘ passwords which are
> safely stored in encrypted databases via industry standard encryption
> algorithm [...] ^Helmut @ojour

So they can't hash passwords, but they want to do biometrics:

> We are also using one-time-PINs for customer authentication and are
> evaluating voice biometrics.

This idea that a company who can't even implement a basic user/password
authentication system should be trusted with user biometric data is scary.

Here is the software stack[4]:

Kernel 2.6.18, _compiled_ in 2011, so RHEL 5.6

PHP 5.1.6, from 2006.

Apache 2.4.18, affected by multiple CVE.

I don't believe these PHPs and Apaches have any backported patches, as RHEL
5.6 support has ended in 2013. Can anyone confirm this?

The really sad thing about this is that T-Mobile's competitors (in Austria)
are not any better. A1 also stores passwords in plain text, and I got reports
that Drei does that too (although couldn't confirm as of yet).

[1]
[https://twitter.com/hanno/status/982530301024002048?s=19](https://twitter.com/hanno/status/982530301024002048?s=19)

[2]
[https://twitter.com/fabricio_giglio/status/98236273592413798...](https://twitter.com/fabricio_giglio/status/982362735924137984)

[3]
[https://twitter.com/tmobileat/status/982394129249460226](https://twitter.com/tmobileat/status/982394129249460226)

[4]
[https://twitter.com/Pips801/status/982378530792136706](https://twitter.com/Pips801/status/982378530792136706)

