Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting? 168
An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"
Responsible Disclosure (Score:4, Informative)
Tell the webhost they have XYZ days to fix the problem before you publish the exploit.
https://forms.us-cert.gov/report/ [us-cert.gov] is also a good place to report exploits.
But if you're shy, I'd also consider forwarding the details to a reputable security research company,
so that maybe they can alert others with misconfigured systems and CERT.
Security and shared hosting don't mix (Score:5, Informative)
You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).
The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.
The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.
Try responsible disclosure (Score:5, Informative)
Contact them to agree a timeframe to patch.
Be careful! (Score:5, Informative)
Re:Public shaming is all you need (Score:4, Informative)
Web server security hole (Score:4, Informative)
Contact the company again with your findings. They patched the hole that you pointed out before but kept the details of the exploit limited to senior programmers and support. When they reloaded the server after a down period, a SNAFU recreated the hole.
So there are two problems. One is the security hole that you found and the other is their back-up and security breach repair process. Point out both problems to them.
Then review the security of your data that you are exchanging with them. How important is it that this data remain secret? And secret to who? To another user who might have stumbled onto the same exploit window? To a Soviet/Russian criminal organization? (a three-way redundancy, yes, I know) To the American feds? To your wife or kid that looks over your shoulder while you type?
Please understand, all this technology is still basically new. It has problems. Tech problems and social problems. The tech issues get discovered and solved faster than the social problems, i.e. crime issues. For example, we (the American government and Interpol) can not go after criminal organizations in the (former) Soviet Union because many of them are in alliance with the corrupt Soviet/Russian/Gangster government that still controls thousands of nuclear bombs. So criminal organizations there can loot American banks and businesses with stolen credit card information with near impunity. It's a defect of the modern computer age. It will get fixed someday, but for now, guard your data and be aware that every data and login password that you type on an internet-linked PC can be stolen.
If the web-server company can't and/or won't fix the issue after you point it out to them several times, document the issue and submit this documentation in writing (not on-line) to both the local Better Business Bureau and your state Attorney General's Office. When they get inquiries from both parties about this issue, they will get the fear of God and fix it right. Until then, be patient and remind people to guard their data.
Re:Responsible Disclosure (Score:5, Informative)
Tell the webhost they have XYZ days to fix the problem before you publish the exploit.
If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report, listing you as the offender, with possible criminal charges, for you hacking their service.
Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.
Re:Do nothing (Score:5, Informative)