Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

Posted by Soulskill on from the responsible-disclosure-irresponsible-support dept.

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

6 of 168 comments (clear)

  1. Do nothing by Gutboy · · Score: 5, Insightful

    Move to a new host. Don't talk about the old host, don't post the script, don't describe it at all. You don't want the lawsuit/criminal charges that will follow.

    1. Re:Do nothing by serialband · · Score: 5, Insightful

      You might want to tell them why you're moving to a new host. Explain that their security is insufficient for your needs which is why you're moving. You don't have to give them more detail than that.

    2. Re:Do nothing by Zontar_Thing_From_Ve · · Score: 5, Informative

      You absolutely cannot post the script or make any kind of public statement about the company and what it takes to get this information. The US and the UK have laws that I know of that cover hacking activities and your discovery of this problem could potentially be legally viewed as running afoul of those laws. If you live in the USA, trust me on this. You really do not want a possible fine and jail term hanging on the whims of the US jury system.

    3. Re:Do nothing by Anonymous Coward · · Score: 5, Interesting

      OK I'll post his "test script":
      ls -al /home/*

      huge surprise, most shared hosts run suphp with 755 on all directories inside of ~/public_html/.

      COME AT ME HOSTGATOR

  2. The same as I do when I see illegal stuff by houghi · · Score: 5, Interesting

    I do the same as I do when I see other illegal stuff. I report it.

    I have once reported childporn. I was ordered to go to go to the police station where they tried to put the following on me:
    1) Spreading of childporn (Remember that I was the one who reported it)
    2) Obstruction of the law (because I called the newspaper, after wich they finaly closed the site)
    3) Falsification of my person (because my trow away email address did not have any official address)

    I send the report from work. They called there to say they needed to speak to me concerning a childporn case. Luckily I had VERY understand management (who even offered to pay for lawyers if anything would come of it towards me) otherwise I could have been out of a job.

    So if I ever see anything illegal again, I would do the right thing and report it.

    But somehow I never have seen anything illegal after that. Not even people speeding or pedestrians walking through a red light. Strange, isn't it?

    --
    Don't fight for your country, if your country does not fight for you.
  3. Dealing with Vulnerabilities The American Way ... by golodh · · Score: 5, Interesting
    Today's lecture is on dealing with accidental vulnerabilities you accidentally stumbled into while accidentally probing a system that accidentally happens to have a lot of potential interest. You know what I mean.

    I read a lot of indignant posts and a few moany warning ones on the subject. The authors of either kinds of post have obviously lost touch with the American Way.

    When you find a vulnerability, the first thing to do is to disassociate yourself from it. Wipe your data and close down your account (many posts correctly advised this). Then get two sets of some cheap one-off hardware (second-hand paid-in-cash stuff is best). Use one of those to assess the economic potential of your find as best as you can (or you'll get fleeced later on).

    Then you Monetize your find. Quickly, before someone else beats you to it. That's the American Way right there.

    Use the second piece of old kit you bought to surf the web. There are certain websites, often in Eastern Europe, on which you will find people who'll use a peculiar form of English but who will be prepared to pay smallish but reasonable amounts for such information. Depending on e.g. whether the flaw leads to credit card data (that's why you ascertained the economic potential of your find first) or advanced military technology (in which case you may be able to get better quotes from buyers in the Middle East or the Far East).

    Be aware that there is a certain protocol to be followed when conducting this sort of transaction. Contacting them from home, work, or any other place that can easily be traced to you is a beginner's mistake. Secondly, don't *ever* give out information like your real name, physical address, bank account or credit card to them. They won't do that either, and besides, you'll *really* value your privacy when dealing with them.

    Use e.g. an old second-hand laptop and work from an Internet cafe or use a prepaid smart phone with Internet browsing facilities. Don't ever use that hardware for *anything* but completing this one transaction. Wipe, disassemble, smash, and ditch said hardware component-wise as soon as the transaction is completed.

    The trick is of course to get the money to where you can spend it. Having it wired into your account will show up and may be a bit difficult to explain. Even when done from a US account (you can negotiate for this but it costs extra). They will pay you in bitcoin or E-gold if you insist, but that too is tricky. Asking for cash in the mail is asking to be fleeced, and likewise a bit conspicuous should they actually do it (amateurs).

    I'm leaving the question of arranging secure and discreet transfer as homework. Additional points will be awarded (optionally off the record or against a discreet little cash bonus) for really good solutions. Remember: should government officials come calling at your doorstep you'll automatically fail the course and all traces of your enrollment will mysteriously have vanished. No refunds.