When ISP Orange tried to make money out of blocking file-sharing, it was only a matter of time before the hackers started digging about on the company's servers.
Spurred by France's controversial 'three strikes' Hadopi legislation, Orange decided it would be a great idea to charge subscribers a €2 a month additional fee to block P2P file sharing on customer connections.
Orange said its new service would allow users to "control the activity of computers connected to your Internet line, from downloading 'illegally' using peer-to-peer networks".
The Windows-only software, which is supposed to run in the background, was aimed at parents wanting to make sure les enfants were doing their homework and not illegally downloading the Vannessa Paradis singles, or whatever French teens are into nowadays.
As we all know, whenever a big business tries to get involved in anti-piracy actions, it's only a matter of time before the file sharing and hacking communities put their heads together and mount a full frontal attack on the offending institution.
In this case it was a rapscallion by the name of Bluetouff who took the giant telco to task, using easily available tools to sniff out some pretty worrying holes in the anti-filesharing software, according to Torrent Freak (opens in new tab).
Using WireShark to sniff the output of the software on his location network, Bluetouff was able to identify an IP address used by the software to obtain its updates. Which in itself is not to worrying. What is worrying is that all of the information on the remote Java server in question is being transmitted in the clear, and is totally open to the public.
"The software communicates with a remote server, a Java servlet actually located on (IP address removed to protect the stupid).
Nothing too out of the ordinary there – except that all information is not only being transmitted in the clear but all information on that server is public, meaning that every user had their IP addresses exposed to anyone who happened to wander by.
Much to the embarrassment of Orange, until recently the server was still open, and both user name and password on the account were set to 'admin'. Quite possibly the biggest schoolboy security error we have ever seen.
Torrent Freak (opens in new tab) has confirmed that is is quite possible to send malware to anyone using the software.