French ISP Offers to Block File-Sharing, Exposes Users to Attack

In response to the implementation of France’s “Hadopi” or three-strikes law, which targets illegal file sharers, a French ISP began offering its customers a service that would block file-sharing on their connections, but the software came with its own problems.

Orange was the ISP offering the service, for the small price of two Euros per month, and it was intended to allow users to “control the activity of computers connected to your internet line” by blocking access to an unknown series of blacklisted sites and addresses.

Unfortunately though, according to Torrent Freak, the Windows-only software, as detailed by a techie named Bluetouff, communicated with a public server that still had the default username and password of admin/admin. Oops.

Torrent Freak that it was:

… informed that people have accessed the server and have discovered that it’s possible to send malware to anyone using the software which makes a bit of a joke out of Orange when it claims: “The software runs in the background to ensure your safety without disrupting the important tasks that you perform”

Also, in an additional twist, the former French Minister of Culture, Christine Albanel, is now employed at orange as Executive of Communication.

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    tallimar says:

    he said that he creates a customized account and uses that as the administrator in place of the default account, essentially replacing it.

  2. 0
    Neeneko says:

     I am not following how this would make a differnce in this case.  It sounds like the sever application itself had the default username and password, so creating a unique user on the server would have no impact on the hole.

    On the client side, I doubt most users are going to build a jail for a service that their ISP probably tells them to install via ‘double click setup and never worry again’.

  3. 0
    axiomatic says:

    How do people pull off stupid stuff like this? When I load Windows server applications I dont even use the local service account as the service account, I make a unique user for the services just so this kind of stupidity can not leveraged by a malicious user.

    Sorry but this is security 101 stuff. The person who loaded this software needs to be terminated.

Leave a Reply