The ASUS security team has clearly not had a good March. New allegations of serious security breaches by company employees have surfaced, this time involving GitHub. The news comes in the wake of a scandal involving the spread of vulnerabilities through the official Live Update servers.
A security analyst at SchizoDuckie has reached out to Techcrunch to share details of yet another security hole he found in the ASUS firewall. According to him, the company mistakenly published its own employee passwords in repositories on GitHub. As a result, he gained access to the company's internal email, where employees exchanged links to early builds of applications, drivers, and tools.
The account was owned by an engineer who reportedly kept it open for at least a year. SchizoDuckie also said that he discovered the company's internal passwords published on GitHub in the accounts of two other engineers of the Taiwanese manufacturer. The source shared screenshots with reporters that confirm his findings, although the images themselves have not been published.
It is worth noting that this is a completely different vulnerability compared to the previous attack, in which hackers gained access to ASUS servers and modified the official software by embedding a backdoor into it (after which ASUS added a certificate of authenticity to it and began to distribute it through official channels). But in this case, a security bug was discovered that could expose the company to the risk of similar attacks.
βCompanies have no idea what their programmers are doing with their GitHub code,β SchizoDuckie said. ASUS stated that it cannot verify the claims of the specialist, but actively checks all systems to eliminate known threats from its servers and supporting software, as well as to ensure that there are no data leaks.
These kinds of security issues are not unique to ASUS - even very large companies often find themselves in similar situations related to the negligence of employees. All this speaks to how difficult the task of ensuring security in modern infrastructure is and how easy it is for data leaks to occur.
Source: 3dnews.ru