300 UK domains pilfered, MASSIVE security lapse blamed What appears to be a glaringly obvious security hole has been blamed for the snatching of 300 domains hosted by one web-hosting firm last year, The Reg has discovered. A source told El Reg that anyone with a hosting package from 123-Reg, and hence an account control panel, simply had to change the final section of the URL …
"you clearly didn't do any basic due diligence either"
Are you suggesting we security test every web application we use? What happens if they fail the test and you find yourself up in court for gaining unauthorised access to a computer/network?
A certain expectation and level of trust is assumed when you do business with anyone, 123-Reg have breached that trust and Spender is well within his/her rights to be peeved.
No, but I am suggesting that if you chose a service which had an apparently glaring problem such as this, and a service which has a row of commentators queuing up to slag off all over the Internet, then you probably got what you paid for.
A few web searches could constitute due diligence, rather than a full on pen test.
They're cheap when you start wanting to use their name servers for your hosting, and their DNS setup is simple. Not sure how many people are dumb enough to use them for hosting.
Their name servers are good. I've had no end of clients who use the name server in their hosting package which are two references to their own VPS.
Oh, and their service is still a mile better than GoDaddy, who set the industry baseline in being tools.
123-reg's control panel has been broken in a number of ways for a few months now, notwithstanding the effort maybe a year ago to update it to something that looks modern, bolted onto the top of their old control panel. I've paid for renewals I didn't want to with them because I couldn't get the domains transferred out with bits of the registrar lock and admin details panels being broken at various times.
Of course I cant say if the weakness exploited is part of the new or the old CP. I hope it's actually the new one. The old one was boring plain but entirely functional, and remnants of it are clearly underneath parts of the new one.
Now for example if you're a heavy user of email forwarding, an small old rather long webpage is replaced by (in my case) a 1MB, 40,000 line behemoth of javascript which will show a whole 10 email dresses (while the rest are in the source, but need to you click to see them). It also nicely puts ellipses in email addresses making them impossible to read, usually replacing no letters at all, just for a laugh.
If this security problem affects .co.uk as it would seem (Nominet's involvement) that 123-reg has "terminated our registrar agreement with one registrar" seems BS, as they indeed have, but I understand it's their upstream .com registrar (which in itself has causes nightmares for us that have .coms registered through 123-reg). It also seems from the story to make no difference as it's 123-reg's control panel that's at fault, so why they could say they've "worked with our registrars to help them tighten security" also reads as BS.
Unfortunately 123-reg's marketing/PR have been hundreds of thousands of miles away from what's actually happening on the ground for months (have a ganders at their tweets to and from - complete disconnect). Presumably these statements came from the PR bods sitting there in cloud airy-fairy land.
My registrar advertises it's a pro outfit, and they manage domain name portfolios for major blue chip companies with highly visible brands. Want to screw up one of those domains and damage that brand? Go to the web control panel, and keep trying username/password combos to your heart's content (you have unlimited attempts). None of that, 'welcome frankee, you last logged in at ... ' nonsense either.
I won't name the registrar or give the URL of the control panel coz, in this case, obscurity is all the security I've got.
However, in case any readers recognise that description and work for that company - your portal sucks and its security is pathetic.
I'd gladly pay more for proper security with, perhaps, a hardware token.
Same story with my DNS hosting. Even get me started about the Press Team's Twitter accounts have better security than this
"With its brands 123-reg, Heart Internet, Host Europe, Webfusion, Host Europe Suisse, Domainmonster, RedCoruna and Donhost, the Group has a strong market presence in the UK, Germany, Austria, Switzerland and Spain."
If 123-reg are negligent like this for years without telling anyone, it's pretty certain that the other companies are just as bad.
I had no end of rows with 123-reg over a customer's FTP hosting where they just deleted files from an FTP account that only I had access to. Literally, the whole site, just disappeared - all sorts of CGI and back end code gone and all the HTML removed (obviously I had backups, but that's not the point). When I reported it (because it broke the website I'd just made for the client), they then phoned up my client(!) and vehemently shouted me down to my client to the point where relations were very strained all round. I demanded a conversation with their top technical guy and recorded it. I still have the MP3 somewhere, because they were basically phoning up my customers (i.e. the details on the webpage, not the owner/technical contact on the domain) and telling them it was my fault and I'd deleted all their website.
The technical guy said they'd had no data loss. But they didn't have backups of ANYTHING I'd uploaded over the last six months. Nothing at all. I demanded they change the FTP password on the account because if *I* didn't do it, and I was the only one with the login details, then *SOMEONE* did and I needed to secure the website. 3 years later, the password was still unchanged despite a LOT of requests on my part. They had no FTP access logs AT ALL, to prove me wrong or see if they'd had an intrusion. Nothing. Not even a list of IP's from their authentication system. They could not even tell me when I'd logged in, and I'd given them my IP. The technical guy at least had the decency to start sounding sheepish at the point they realised that they had no way to tell what had happened, and that I probably had more logs than they did.
The client eventually moved over to a completely different host, and didn't blame me - mainly because they were annoyed at being rung up by someone not associated with them at all who them proceeded to blame the guy they were paying for something they hadn't even noticed up until then - but it's those sorts of things that cost you customers (and initiate lawsuits!).
It's a shame. For a while, I had hosting and accounts with several of their now-subsidiaries but they've all gone to pot in the intervening years.
"I had no end of rows with 123-reg over a customer's FTP hosting where they just deleted files from an FTP account that only I had access to."
i had so many problems with their ftp that i gave up in the end. Permissions on files randomly changed, certain files just refused to be updated because of some weird read only bit being set and no amount of fucking about on my end would change it. Directories disappearing or refusing to disappear etc.
The final straw came when my cc expired when i had 4 months left to run on my contract (fully paid up). The buggers tried locking me out of the control panel until i updated it. No way I was going to do that and let them take another years worth automatically.
In their defense, their staff were always prompt and helpful, shame any fixes they applied were only (very) short lived with the same problems returning within a few days.
I noticed a couple of years back that they started offering paid-for subdomains. It was something like £10 for 10 subdomains per year.
I was confused as I had many subdomains on my domains simply by adding A records (what is www again?)
It was at the same time that they simplified the DNS control panel and you had to press an extra button to get to the advanced control section.
Basically, it's an idiot tax for the rubes. Still got many many subdomains without paying a penny extra.
/anon, because I don't want my domains hacked.
There is only a finite number of v4 IPs and they are pretty much all allocated. Therefore how do you get static IPs from your ISP other than by buying them off them or using a different ISP?
At least with monthly subs people will consider whether they really need them and hand them back at the end of their use.
In the earlier days of me using 123-reg, I did indeed decide to test the security when I saw the URL in a get command and was unable to access another 123-reg account of my employer (which I also had credentials for) and it didn't work. Seems like someone disable the security in the last 5 years. From experience this is usually an internal testing gaff.
"gaff"
Pretty weak words for something which allows anyone to take over your entire domain without your knowledge, everything from DNS to email to hosting, and make you fight to get it back, and fight more to get it recognised a year after the event.
And internal testing? That's internal for a reason. A production website with X thousand customers shouldn't be suffering "gaffs" like this, at all. And if you're security is a little button that you turn off when convenient (rather, than, say, proper testing of cookies to ensure that a XSS attack isn't taking place, and checking that user X is not even capable of looking at data for user Y), then it's not security.
Commenting or a simple "||true" added can produce this behaviour. Forgetting to remove "||true" is a gaff with pretty dire consequences, but still a gaff none the less.
As for testing, if they only test amended code as opposed to the full product something like that can go unnoticed.
I'm not saying it's right, I'm saying it could be the consequence of a small error, and that happens.
I had one domain with them that I found out was set to forward to someone else's domain. I had not set this up. Since last year I have been on a tortuous battle to state that I did not make this change and that account security must have been compromised.
They always deny this and just state that 'the domain forwarding has now been removed' - which obviously it has because I removed it!
Going to use this article as fodder to force the issue and prob just move all my domains away from them as it seems they have security issues - and a lack of customer service in admitting that something could actually be their fault.
Poor old 123reg. FWIW, I've used them for years, and yes, the control panel was made by a retarded fool in his lunch hour, but for the amount I actually use it, it's been fine.
However, I had to find out about this breach from El Reg - not from the email that 123reg should have sent me. Therein is the core issue - making a technical mistake as they did is pretty crappy, and they shouldn't have made it. However, not dealing with it properly indicates they've got dozens more issues kicking about that they're not fixing either.
The more I think about this, the more horrified I feel about this. A business's domain, dns and email are really, really critical to them.
Think about what you can do if you can mess with an organisation's DNS. You could set up an impostor website on their genuine domain to use in a phishing attack. You could alter their MX records and intercept all their inbound email. You could point their domain to any other website of your choice. You could proxy their website and intercept all communications to and from it.
Without any statement from 123-reg on this issue we only have this article for information, but if all three million domains they hosted were vulnerable to this,the potential for compromise of sensitive data here is staggeringly enormous.
They certainly have a duty to protect customers domains and DNS as these are the keys which protect much confidential information. It also sounds like customers with 123-reg hosted email boxes were vulnerable. I'd say the Information Commissioner should be very interested in this case.
For such a fundamental basic error to have gone unnoticed smacks of a company where security isn't even on the agenda. Had the developers had any security training, had there been any internal testing or external pen testing this would surely have been picked up. So it seems reasonable to conclude none of this is going on. One might also presume then that they don't have the information to properly investigate this, to determine what other customers might have been affected.
Given how important control of domains is, to have such a lack of security amounts to reckless negligence.
There is no comment from 123-reg - they haven't informed customers, haven't replied to my email asking for assurance. Haven't even issued a statement saying the issues are resolved. Haven't warned customers to check their DNS and MX records are correct.
I would say that Nominet and the other TLD registries are to an extent culpable here too. They should be setting out minimum levels of security for domain retailers which should at minimum include an independent penetration test of their systems and ideally ISO27001 certification.
I'm left wanting to move my domains away from 123, but being unsure if anyone else in the market is actually any better.
Very, very shabby.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
