A simple categorizing mistake has resulted in the publishing of an internal Allied Telesis document that reveals how to set up backdoor accounts for the company’s switches.
According to Jody Feigle, Allied’s North American Customer Support Manager, the document was recategorized from “public-internal” to “public global” by mistake, which made it available – along with three other documents – for perusal to Internet users on the company website.
Indexed by Google, it was spotted, downloaded and posted to a file sharing site. The file – an Excel spreadsheet – contains instructions on how to obtain a backdoor password for around 20 different switch models made by Allied Telesis. A password generator for some of the switches was also made public.
According to ThreatPost, Allied is trying to minimize the importance of the incident and reassure users by pointing out that the backdoor accounts can only be set up by someone who has physical access to the device.
It also says that even though the document is referring to backdoors, the feature is actually a password recovery feature used by most hardware manufacturers.
The company is currently working on removing the leaked documents from the file sharing sites and has notified its support staff of the incident.