A researcher has accused one of Canada’s biggest banks of “muppet-grade security” after discovering application source code and private login keys to backend systems on GitHub repositories.
The accusation comes from IT pro Jason Coulls, who, according to the online news service The Register, recently discovered the unprotected folders of data belonging to Scotiabank.
“These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances,” the news story says. It describes the files as “a potential gold mine of vulnerabilities for criminals and hackers to exploit.”
According to the report Scotiabank spent the last couple of days tearing down the GitHub repositories, which it believes were inadvertently left open to the public, after being told by The Register.
A spokesperson for Scotiabank was asked this morning to explain how the incident happened and the bank’s policy for developers using GitHub. In reply the bank said “the information we identified that was posted on an online data repository does not contain information that would put our customers, employees and partners at risk. Our technical teams are working to remove the information.”
Canadian banks have to report security incidents to the regulator, the Office of the Superintendent of Financial Institutions. Colin Palmer, a communications officer for the OSFI said in an email that “when situations such as this arise, we are informed, will monitor the situation closely and ask for any clarifications if required.”
He said that for confidentiality reasons the OSFI won’t comment further.
GitHub is a site that hosts a software version control called Git where developers can collaborate on applications. Bought by Microsoft last year, it’s a highly popular service. However, organizations that allow staff to use it have to ensure their repositories are password controlled with strong authentication.
GitHub has a site with advice and tools for protecting work. It also offers a number of monthly plans enterprises with varying levels of security capabilities including team access controls. It isn’t known if the repositories being used were open by an individual Scotiabank developer or a manager.
The Register story detailed what Coulls found. “Among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of Scotiabank’s mobile apps for Central and South America, were credentials and keys to access some of the bank’s backend systems and services dotted around the world,” said the news story. “Among the more sensitive blueprints was code and login details for what appeared to be an SQL database system of foreign exchange rates.”
It quoted Coulls saying among the applications with its credentials openly available was a foreign exchange rate SQL Server database. Source code that could have been accessed integrated the bank’s systems with payment services, including Samsung and Google Pay as well as U.S. credit-card processors Visa and Mastercard, and others.
Scotiabank is not only a user of GitHub, it’s also a contributor to the ecosystem. Last year the bank announced its first open source contribution to the GitHub community so developers can use it for their applications.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, noted that public code repositories, various code and data sharing projects can greatly facilitate DevSecOps and accelerate agile software development. However, he added, they likewise bring a wide spectrum of critical business risks of inadvertent or careless data leaks exacerbated by third-party developers with insufficient security training.
“Some developers recklessly share passwords from production systems on Pastebin thereby opening doors to their digital realms without thinking about the consequences. Cybercriminals are well aware of the situation and are continuously crawling publicly accessible data sources to get sensitive source code, hard-coded credentials and API keys. Worst, they often succeed and their intrusions frequently remain undetected as virtually no abnormal activities happens.
“Large companies need to thoughtfully design a secure software development policy, and properly enforce and monitor it. Regular security training for developers should be an essential part of the policy. Special attention must be given when developers are outsourced to third-parties unfamiliar with security procedures and best practices.”
(This story has been modified from the original to reflect the request for information from Scotiabank and the response of the OSFI.)