Things that shouldn’t be there
Some days ago we released a security advisory for Realtek-curious note: according to secunia, it is the first advisory for that vendor- where a piece of code that was originally intented to be used by the engineers only, ends up being compiled in the release driver. Obviously, there is no reason to think about this issue as any kind of backdoor since makes non sense, it is merely an error. In other cases, the issue is not so clear.
Anyway the fact is that sometimes either by error or having obscure intentions, there are "things" that should not be there. Nowadays, these issues pose a real threat.
Not long time ago, I was reversing a well-known software widely extended within the enterprise enviroment when I came across one of those "things": a hardcoded user/password pair that grants access in real-time to thousands of high profile emails, their associated IPs and software version, among other things.
Definitely, it's not a good idea to share the kingdom's secrets with any guy with a disassembler.
This is a valuable information that can be used in targeted attacks, phishing or even to exploit a flaw in the software. Anyway, we immediately contacted to the vendor so this information leak should be fixed soon.
Have a nice weekend!
Ruben Santamarta.
R&D/Reverse Engineer
