Wanadoo closes serious security hole

A security flaw that left the details of thousands of Wanadoo customers exposed has finally been closed, thanks to a user forum

Broadband provider Wanadoo UK has closed a security hole that left the login details of thousands of its customers exposed.

The security lapse was brought to light on a user forum, WanadooProblems.co.uk, earlier in the week. It occurred when index listings were made available due to a configuration error on a Wanadoo server based in Madeira, Portugal.

The ISP attempted to correct the error after it was brought to attention by forum members, but left the files open to viewing by anyone who knew their location. This was pointed out, and it has now moved the files, meaning the hole now finally appears to be closed.

The number of customers whose personal details were left exposed is unclear. Estimates on the forum have been as high as 20,000, although a spokesperson for Wanadoo told ZDNet UK on Friday that it had "taken the precaution of writing to approximately 7,000 customers to ask them to change their passwords as an added security measure".

What is also unclear is the length of time for which the customer information was left unprotected. The owner of WanadooProblems.co.uk told ZDNet UK that, from looking at the data, it appeared the security hole "may have been there since 2004". Wanadoo's spokesperson declined to clarify this matter, but said the "previously unidentified vulnerability... was closed as soon as [Wanadoo was] made aware of it".

There is no evidence as yet that customer information was obtained and misused by any third party.

Wanadoo's spokesperson thanked the forum's owner for bringing the matter to the ISP's attention, but pointed out that "he is under a legal obligation to destroy any copies of the data that he has". The forum owner assured ZDNet UK that the "6,986 files" he managed to download from the exposed server will now be destroyed.

Ian Fogg, a senior analyst at Jupiter Research, believes that the security lapse could hurt Wanadoo's reputation with its customers.

"Sixteen percent [of broadband users] use antivirus software provided by their ISP," he said on Friday. "Will they continue to trust it? Why would you go to your ISP for antivirus software if they can't keep the basics secure?"

There is also a possibility that Wanadoo may have unwittingly breached the Data Protection Act by leaving its customers' details exposed. The ISP's spokesperson told ZDNet UK that "Wanadoo takes its Data Protection Act obligations very seriously, and is working to ensure that this doesn't happen again".

Wanadoo UK is merging with its sister company Orange, at the cost of thousands of jobs. As reported at the time, WanadooProblems.co.uk will subsequently be changing its name to OrangeProblems.co.uk.