Asus Employees Exposed Their Corporate Passwords On Github

  • 365
  •  
  •  
  • 1
  •  
  •  
  •  
    366
    Shares

Asus recently made it to the news due to Operation ShadowHammer that affected 1 million users. While the chaos isn’t over, here comes another shocking revelation involving Asus. A researcher has recently highlighted details about how the Asus employees exposed their corporate passwords on Github.

Asus Employees Shared Corporate Passwords

Amidst the chaos of Operation ShadowHammer bashing Asus, TechCrunch revealed another striking story. Allegedly, a security researcher informed them about how Asus employees exposed their passwords online.

As reported by TechCrunch, a security researcher with Twitter handle SchizoDuckie disclosed that he noticed Asus staff exposing their passwords. He observed that the employees improperly published their corporate passwords in Github repositories.

He noticed three differences instances of such exposure. First, he found a password in the repository of an Asus engineer who left the password exposed for a year. Using this password, the researcher could access an email account used by the company’s engineers and developers to share nightly builds of apps, tools, and drivers with computer users. He reported,

“It was a daily release mailbox where automated builds were sent.”

According to the researcher, this could allow a potential attacker to wage a spearphishing attack.

“All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack.”

Asus Warned Already, But?

According to TechCrunch, the security researcher had already warned Asus about this risky activity nearly two months prior. Six days after his report, he noticed that he couldn’t log in to the mailbox anymore. Thus, he thought that Asus had resolved the matter.

However, he further noticed two more instances where employees exposed their passwords. A software architect and an engineer based in Taiwan allegedly exposed their credentials in the code on their Github repos.

However, upon receiving the alert from TechCrunch regarding this matter, an Asus spokesperson Randall Grilli said that they could not verify the validity of the researcher’s claim. Though TechCrunch noticed that the vendors pulled those repositories offline a day after their report. This shady response certainly raises a question mark on the company’s security practices, especially for dealing with such incidents.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!