A security firm has discovered a critical coding flaw in a cloud-based application used by Canada’s major telecom providers.
The flaw can be used by cyber attackers to steal administration passwords, cybersecurity company Project Insecurity said in a recent report.
The text-to-voice app in question, IP Relay, was developed by Soleo Communications. According to the report, the vulnerability in IP Relay was the result of “bad coding.”
“A developer should always check for dangerous characters in filenames,” Project Insecurity said, noting that its researchers were able to navigate the server and access a sensitive directory by simply using directory traversal characters.
Telecom companies Bell, Rogers, Telus, Videotron, SaskTel and Shaw all reportedly used Soleo’s IP Relay. IT World Canada reported that both Bell and Soleo Communications did not respond to a request for comments regarding the vulnerability. Rogers said in an email that it had been notified of the breach by the Canadian Cyber Incident Response Centre.
Although the vulnerability in IP Relay had been fixed since August 10, a cyber attacker could have exploited the vulnerability before the patch to steal passwords from configuration files, the cybersecurity firm commented.
It is currently unknown if an attacker had exploited the vulnerability before the patch.