Wondering if whmcs support ticket system is hacked.

[SinOjos]

I just requested an email change and they want me to send them an admin login to my whmcs installation. I have replied that I will not do that.

 

They also said that their ticket system is not secure, as I could be spoofing and I may not be who I claim to be.

 

It looks to me that whmcs needs to address security further. As apparently they do not trust someone who is logged in and using their internal ticket system.

 

Very suspect when they want my admin login to my whmcs installation.

 

Anyone else getting weird reply's from support wanting your login information?

[SinOjos]

I have replied a couple of times and they still persist in wanting to login to my admin section of my whmcs installation. Apparently nothing is secure with whmcs, if they cannot trust a logged in customer using their internal ticket system, then I will not be able to as well. That is a serious security problem.

 

Going to start looking at other billing systems. If the internal ticket system cannot be trusted, then nothing can be trusted. Apparently whmcs does not comply with security standards, as evidenced by the recent break ins, not a good idea to use a system that is dangerous to your customers.

[Lee3155]

Hey,

 

Under any circumstance, do not give out your admin login information. Especially after the recent events.

 

I highly doubt the support system is still hacked as Matt would have, by now, expired all admin and support center staff passwords.

 

Right now, I would plead you to take a screenshot of the ticket, note the name of the operator and show them to Matt.

[SinOjos]

They have persisted in five reply's that the only way to confirm my account is for them to log in to my whmcs admin installation. If they are not smart enough to figure out a better way to confirm an account, I do not think whmcs is for me.

 

By their own admission their internal ticket system is not secure. That alone kills it for me, as how could I ever trust a support ticket in the system. If someone can inject support tickets without being logged into an account, then nothing could ever be trusted within the system.

 

They need to re-think security, as whmcs is not secure by their own admission.

[Lee3155]

I completely agree,

 

I can understand from one point, because all details were leaked in the database, there isn't much ways to verify your identity. However, in saying that, asking for your personal logins to your WHMCS is highly unprofessional and should never be done.

 

The best thing I can suggest, like I said previously, is to talk to Matt and give him the name of the Support Operator that keeps prompting you for your logins.

[Peter M Dodge]

The first thing any reputatable company since the early 90s would tell you is that their representatives would never ask you for your password.

[Matt]

Following recent events we are of course being extra cautious. So if there's even the slight sign of any suspicion over account ownership, the support team will simply be trying to verify that you are indeed the valid owner of that account. All you need to do for that is setup a temporary admin user, send that in, and then delete it again once it's been verified. That way they can be sure you are the real owner of the license key in question, since you have proved you have access to the installation it is used for. A lot of trouble tickets lead to requiring a login anyway to troubleshoot an issue. It has nothing to do with the ticket system being insecure.

 

Matt

[tynman]

I gave support FTP access for an issue in ordering on my site since before the leak so I removed the access. Last night I granted them access again upon their request.

 

If it was the hacker that responded, then they might want to hire him cause he was the only one to figure it out.

[SinOjos]

Matt,

 

The below is quoted from a reply from Lawrence via your ticket system.

 

"we accept tickets via e-mail and, while unlikely, it possible that a malicious user could spoof your e-mail address".

 

That specifically states that your ticket handling method is not secure.

[easyhosting]

Matt,

 

The below is quoted from a reply from Lawrence via your ticket system.

 

"we accept tickets via e-mail and, while unlikely, it possible that a malicious user could spoof your e-mail address".

 

That specifically states that your ticket handling method is not secure.

 

 

Anyone can hack into an email client and spoof emails as general emails sent through outlook,windows mail etc. are not a secure medium. if you are repling to support tickets, then generally it is more secure to do this from the support system as this will most liklely be under an SSL certificate.

so what i think Lawrence is implying is that submitted a reply via email is not secure and not the support ticket system

Edited May 30, 2012 by easyhosting

[laszlof]

Matt,

 

The below is quoted from a reply from Lawrence via your ticket system.

 

"we accept tickets via e-mail and, while unlikely, it possible that a malicious user could spoof your e-mail address".

 

That specifically states that your ticket handling method is not secure.

 

No, it specifically states that email is insecure.

[SinOjos]

If the only way that whmcs can verify an account is by login to the customers install, then what do the companies that use whmcs for their billing do?

 

Not all products sold allow that kind of ability, so how does a whmcs user verify their customers if the internal ticket system cannot be trusted?

 

This is a serious problem that needs to be addressed.

[scurrell]

If the only way that whmcs can verify an account is by login to the customers install, then what do the companies that use whmcs for their billing do?

 

Well for a start, our database hasn't been leaked to the World, so we don't need to be quite as over-cautious as WHMCS currently need to be.

 

How else do you suggest they verify you?

[doram]

Hey WHMCS.

 

Bear in mind, the users at the moment are also concerned with whether what we provide on whmcs is secure, or even IF we are dealing with WHMCS.

I know I did a ton of verification before downloaded the patch from whmcs.

 

Perhaps do something a little less obtrusive.

something like Google verification.

Upload the following file to WHMCS folder?

DNS TXT record?

 

theres a lot that can verify someone is domain owner without physically giving logins to admin areas.

[gohigher]

If the only way that whmcs can verify an account is by login to the customers install, then what do the companies that use whmcs for their billing do?

 

Not all products sold allow that kind of ability, so how does a whmcs user verify their customers if the internal ticket system cannot be trusted?

 

This is a serious problem that needs to be addressed.

 

I think the other way that is implied, though not clearly in what you quoted from Lawrence, is that if you log into your account on WHMCS and reply to your support ticket through their WHMCS interface, you would in effect be verifying you are the owner... correct me if I'm wrong WHMCS team, but if the user has reset the password on their account (as was required for all WHMCS accounts last week) then they have reset the password and changed the password which means the leaked data is no longer quite as useful (for logging in anyway).

 

Of course I'm speculating on the above as we handle sensitive customer data regularly and require our customers to fill in our tickets online prior to initiate the ticket. After that they can reply by email since presumably they are the valid account holder if they log into their account on our site to open the ticket.

 

The internal ticket system can be trusted, the emails coming into it at times cannot be.

 

Steven

[melvin@qualityhosting]

I have proved who I am myself I posted a comment on my whmcs under annoucements that said WHMCS its me melvin. Now if I did not have access to that whmcs how did i post that. I have had enough. All i was trying to do is change my password. Whmcs staff wanted me to allow access to ips. Well I am sorry - My admin area has a file that only allows access from one ip mine.

All i am trying to do is pay my bill to whmcs. If I can not get access to my account by time it is do. Than You as whmce can shut it down. I will use my back up billing I already have. I have never had as much trouble trying to pay a bill to a company before.

If anyone from whmcs wants to resolve this before they lose a customer Contact me

[stuartmacfarlane]

Melvin,

 

WHMCS are being cautious after recent events.. Personally I think they are doing a great job and all these extra security checks are there to protect people like you and me even if they do cause a pain in the ass...

 

If they are asking you to provide such access it means they want to be 100% sure you are who you say you are before they reset any account credentails.

[Stream101]

I think the other way that is implied, though not clearly in what you quoted from Lawrence, is that if you log into your account on WHMCS and reply to your support ticket through their WHMCS interface, you would in effect be verifying you are the owner... correct me if I'm wrong WHMCS team, but if the user has reset the password on their account (as was required for all WHMCS accounts last week) then they have reset the password and changed the password which means the leaked data is no longer quite as useful (for logging in anyway).

 

True, but if a user had the same email password as a server login the client's email could've been compromised as well. Or if the client reset the password to the same password.

 

I have no problem setting up a temporary admin account, which I have setup now but "disabled".

[EhsanCh]

As WHMCS expird all customer passwords , so a working password for whmcs.com client area is enuagh for verifyning customer ! if it is unsecure so all of our whmcses is unsecure too.

[WHMCS John]

@EhsanCh: The issue here isn't client who are logged in to the client area, it's clients who don't know their login details.

[Nathanael]

Just make a screencast login in your whmcs installation and send them the link, that should be enough.

[supernix]

You could always setup GPGP and transfer the information that way so it is encrypted.