ISP Security Fail
The Dutch branch of Tele2 has apparently been assigning the same default password to all users according to SC Magazine. From the article:
The Dutch branch of Tele2 claimed that when a new subscriber signs up, they can choose a login or are assigned one and they are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated.
As the password is changed monthly instead of being generated randomly, all subscribers that signed up in the same month will have the same password.
Writing on the securityandthe.net blog, author Martin claimed that the letter does not even mention the need to change this password anywhere, and with the correct login and password, you can, amongst others, view and change the customer’s contact details and view their billing history.
I wonder if they store the passwords in plaintext too? It’s extremely simple to write something to generate a random password and insert that in place of “password=’lame’” in the codebase so they really have no excuse for this. Even making the the change mandatory doesn’t fix the problem because I would still be able to get into your account if you haven’t logged in yet. This is almost as bad as AT&T leaving just about every iPhone user’s voicemail unprotected by a password and not telling them or giving them an easy option on the phone itself to setup a password.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}