Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

Do nothing

[Gutboy]

Move to a new host. Don't talk about the old host, don't post the script, don't describe it at all. You don't want the lawsuit/criminal charges that will follow.

Re:Do nothing

[serialband]

You might want to tell them why you're moving to a new host. Explain that their security is insufficient for your needs which is why you're moving. You don't have to give them more detail than that.

If you are in Europe

[Neil_Brown]

and attempting to speak with the ISP has not worked (it's not clear if you have tried to inform them that the bug remains on this, and likely other, servers, and given them the chance to fix it (albeit a second chance)), call up your data protection regulator on Monday morning, and explain the nature of the issue and its impact?

Notify them via Certified letter

[Maow]

Others have made a good case for simply moving on, but another thought would be to move to another provider, then notify them via certified letter why you're moving and informing them that if/when the hole is exploited (and reiterate that you will not exploit it yourself), then the certified letter will be shared with the legal teams of those customers who have suffered damages.

i.e. "Here's your official notice of a potential exploit, don't say you weren't warned."

It won't provide preemptive help for their other customers but may make their damages somewhat recoverable through legal means.

Re:Do nothing

[rgbrenner]

So rather than be dealt with as a civilian, you would prefer to be 'unlawfully engaged in warfare against another state'?

I don't think that would be an improvement...

Re:Do nothing

[Chris Mattern]

Which is great, until you find out the Somebody Else regards it as Not His Problem.