Accidental social engineering

2007-07-11 / jpoesen

Deploying a new Drupal project we just developed, involved me contacting the customer’s hosting company to arrange some system maintenance preparations.

This was the very first time I ever contacted that company.

I introduced myself, we made arrangements and at the end of our 5-minute conversation I indicated I was having problems accessing the system through ssh. The sysadmin promptly looked up the root password and volunteered the info over the phone. No questions asked, no ID check. Just like that.

My customer is notified and they will no doubt be filing a complaint.

That one of Belgium’s largest hosting providers can act in such a dangerous and irresponsible way is beyond shocking.