A new hack has exposed vulnerabilities in the Telus website hosts the company’s web services, including the ability to install an unpatched version of the open-source Firefox browser onto a site.
The attack was discovered on the Telco’s public-facing website and could potentially allow an attacker to bypass Telus’ firewall and install a malicious browser onto any Telus device, including its home network.
The telco has confirmed the vulnerabilities but has not yet disclosed how they were exploited.
The hack was discovered by researchers who used a Telus SSL Certificate Authority (SSL) certificate to install a Mozilla Firefox browser on a site called www.telus.com.
Telus also confirmed the vulnerability in a statement to Reuters on Wednesday.
“The Telus certificate we issued in April was not trusted, and Telus does not use any of the telnet.com domain names,” the telco said.
“It’s impossible to tell how many of the domains used by telnet are actually used by Telus.
However, the Telster certificate is only valid for a limited period of time, and the telster.com website has not been updated since February 2017.”
The telster website contains links to other Telus websites, including some that contain links to the tels site hosting the telcom website, and it hosts a number of other vulnerable sites that also contain the browser.
“While this is a small portion of Telus servers, it is very concerning to us,” Telus CTO and vice president of customer service, John McNeill, said in a press release.
“We are working with the teleserts, telus.net, and telnet provider who were the primary recipients of the attack to address the vulnerability.
We are confident in the security of our products and services and our customers trust us to ensure that they are safe.”
Telus has been working with security researchers for the past year to fix vulnerabilities discovered in Telus products, and has said it has “taken a number” of steps to address its security.
“Telus is taking a number on this vulnerability and will update its security procedures to take into account this issue,” McNeill said.
Telstra, Optus and Vodafone have also confirmed that their own websites and services were affected by the Telstrol vulnerability.
“This is a new one for us,” Vodacom chief executive officer, Mark Danker, said.
“[Telstra] said it’s in its labs, and then they had to admit that they’re not going to fix it.
I think that’s the biggest blow for Telstra.”
Telstra has said that it has already deployed a fix for the Tel Strol vulnerability that will also protect other Telstra products, including phones and tablets.
“Although we do not believe it will be a significant impact on customers, we will continue to work closely with our telcos partners to identify and address any issues that may occur,” Telstra said in an emailed statement.
“Our customers have confidence in us to work with them to secure their network, and we have already started working with Telstra on a fix that will help protect customers.”
Telstrava CEO Mark O’Neil has previously expressed concerns about the security flaws discovered in telstravas services.
Telstraya is Telstra’s mobile phone operator, and is one of the top three providers in the country.
Telstar, Telstra TV and Telstra Broadband also have access to the Telstar network, which is used to connect customers to video and radio services, among other services.