Asus recently made it to the news due to Operation ShadowHammer that affected 1 million users. While the chaos isn’t over, here comes another shocking revelation involving Asus. A researcher has recently highlighted details about how the Asus employees exposed their corporate passwords on Github.
Asus Employees Shared Corporate Passwords
Amidst the chaos of Operation ShadowHammer bashing Asus, TechCrunch revealed another striking story. Allegedly, a security researcher informed them about how Asus employees exposed their passwords online.
As reported by TechCrunch, a security researcher with Twitter handle SchizoDuckie disclosed that he noticed Asus staff exposing their passwords. He observed that the employees improperly published their corporate passwords in Github repositories.
He noticed three differences instances of such exposure. First, he found a password in the repository of an Asus engineer who left the password exposed for a year. Using this password, the researcher could access an email account used by the company’s engineers and developers to share nightly builds of apps, tools, and drivers with computer users. He reported,
“It was a daily release mailbox where automated builds were sent.”
According to the researcher, this could allow a potential attacker to wage a spearphishing attack.
“All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack.”
Asus Warned Already, But?
According to TechCrunch, the security researcher had already warned Asus about this risky activity nearly two months prior. Six days after his report, he noticed that he couldn’t log in to the mailbox anymore. Thus, he thought that Asus had resolved the matter.
However, he further noticed two more instances where employees exposed their passwords. A software architect and an engineer based in Taiwan allegedly exposed their credentials in the code on their Github repos.
However, upon receiving the alert from TechCrunch regarding this matter, an Asus spokesperson Randall Grilli said that they could not verify the validity of the researcher’s claim. Though TechCrunch noticed that the vendors pulled those repositories offline a day after their report. This shady response certainly raises a question mark on the company’s security practices, especially for dealing with such incidents.