How much longer are we going to tolerate insecure password resets?

[Seiya]

WHMCS is still not following best practice (not to mention PCI compliance) when it comes to client area password resets and given the time they have had to fix this I find it unacceptable especially considering what just happened a few months ago. I have requested that this vulnerability get patched multiple times but I always get the same response, 'We'll add this to our issue list'. If you care for your and your clients security then you need to pay attention.

 

When a customer receives a password reset email and they click on the link to reset their password, the WHMCS system currently generates a new random password and sends it back to the user via EMAIL. This leaves the password sitting in their email account and if they do not change it, it is a major risk considering how often email gets hacked.

 

 

• Instead the customer should be taken to a secure URL where they can create their own new password with no passwords ever being recorded in email.
  
• Additionally, when a password request is requested, if an email address is submitted that does not exist, the notice should say that the email has been sent regardless to prevent people from being able to enumerate customers on the system.
  
• Please see the attached workflow for the correct handling of password resets.
  

 

This is not rocket science! How can a company with WHMCS's resources not implement this?

 

For more info see - http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html

Edited August 2, 2012 by Seiya

[mylove4life]

So you want someone to make a new password on the screen and be done with it... ya good luck when they hack all your stuff..

[jclarke]

I know you are asking WHMCS to build this in and it wouldn't take them much work to do this. However, if you want to have this functionality without waiting on WHMCS this could be easily done by building your own password reset functions. Or you could make use of hook scripts and a custom field to detect the first time they login with a password emailed to them and force them to set a new password.

[Seiya]

So you want someone to make a new password on the screen and be done with it... ya good luck when they hack all your stuff..

 

I don't really understand your comment. Yes, the idea is for the client to define their own password within the client area.

 

What do you mean by

"and be done with it"

 

And why do you say

ya good luck when they hack all your stuff..

[LaceHost-Ishan]

Can you upload a larger image ? I can't read anything after zooming in.

[Seiya]

I know you are asking WHMCS to build this in and it wouldn't take them much work to do this. However, if you want to have this functionality without waiting on WHMCS this could be easily done by building your own password reset functions. Or you could make use of hook scripts and a custom field to detect the first time they login with a password emailed to them and force them to set a new password.

 

Hey Joe,

 

Yeah you are absolutely right, we could code this ourselves. In fact there is even an addon available which does exactly this for 0.99c per month. However this is not the point I'm getting at. My point is that WHMCS has a bad security record and in order for ourselves and future clients to trust that they are taking security more seriously WHMCS needs to step it up like they said they would after the recent exposure.

 

This password reset vulnerability is low hanging fruit, in the world of risk management its high threat, high vulnerability and therefor high risk and with a very low remediation cost, it should be fixed immediately. Any security audit would highlight this on the first page, not getting it fixed shows an absolute disregard for security IMHO.

[Seiya]

Can you upload a larger image ? I can't read anything after zooming in.

 

Sorry let me try that again..

 

[Seiya]

Can you upload a larger image ? I can't read anything after zooming in.

 

Sorry yeah Im not sure why is being resized so small. Try this http://i49.tinypic.com/2ai49u.png

[openmind]

My point is that WHMCS has a bad security record

Really? I can only recall two maybe three security related incidents directly affecting the software since we started using WHMCS about five years ago...

[easyhosting]

My point is that WHMCS has a bad security record

 

who says?

 

the had the eval exploit which they immediately issued a security patch to fix this

 

Hostgator allowed a hacker group access to WHMCS servers ( this was corrected ASAP)

 

look at CE, Hostbill, fantastico, installatron,microsoft,mcafee,symantec and the list can go on , they have all had security issues of one kind or another. This is the nature of any software.

 

so lets all stop using Microsoft as they have had security issues ( do you think this will happen. i guess NO)

Edited August 3, 2012 by easyhosting

[Seiya]

who says?

 

the had the eval exploit which they immediately issued a security patch to fix this

 

Hostgator allowed a hacker group access to WHMCS servers ( this was corrected ASAP)

 

look at CE, Hostbill, fantastico, installatron,microsoft,mcafee,symantec and the list can go on , they have all had security issues of one kind or another. This is the nature of any software.

 

so lets all stop using Microsoft as they have had security issues ( do you think this will happen. i guess NO)

 

Ok, I'm not here to argue whether they have a good record or not, I'm not a hosting industry expert. I was simply going off the sentiment I picked up reading the long thread that built up over on webhostingtalk during the last exploit and my own experience as an infosec consultant. Even if you believe they have a great record, do we not want to be patching these obvious vulnerabilities urgently anyway? My point here was to try get some attention focused on this vulnerability so we all win.

[easyhosting]

Ok, I'm not here to argue whether they have a good record or not, I'm not a hosting industry expert. I was simply going off the sentiment I picked up reading the long thread that built up over on webhostingtalk during the last exploit and my own experience as an infosec consultant. Even if you believe they have a great record, do we not want to be patching these obvious vulnerabilities urgently anyway? My point here was to try get some attention focused on this vulnerability so we all win.

 

every software has security issues, its how these are handled that counts. WHMCS issue patches as soon as issues appear. do you think others like RVsitebuilder and softaculous update on a regular basis just because they feel like it. these are because they find issues that need patched. the only difference to WHMCS is that these have a way for users to allow them to do this automatically, so you as a user dont need to do this.

 

you referred to the WHT thread about the hostgator issue. if you read that fully you will see 95% of that thread is just the same info repeated over and over again, where users failed to follow simple instructions given by Matt and the team to sort things out with their own installations

Edited August 3, 2012 by easyhosting

[Seiya]

every software has security issues, its how these are handled that counts. WHMCS issue patches as soon as issues appear.

 

But they don't. That is what this thread is about - a security vulnerability exists and WHMCS is doing nothing to fix it. If nobody cares about this vulnerability then that's fine, we'll have no choice but to fix it ourselves. I thought this community was very concerned with security and that's why I'm trying to highlight this issue.

[easyhosting]

But they don't. That is what this thread is about - a security vulnerability exists and WHMCS is doing nothing to fix it. If nobody cares about this vulnerability then that's fine, we'll have no choice but to fix it ourselves. I thought this community was very concerned with security and that's why I'm trying to highlight this issue.

 

the way password resets are is they way it has always been done. if you look at the moans every since the hostgator issue then the moans have increased. not really a security issue if you use emails that are site based where you have ssl certs rather than free emails such as gmail/hotmail etc. the emails we use are those sert up on our website that are under SSL, so are secure, we never use these free emails such as gmail/hotmail as these themselves have secuirty issues

[easyhosting]

Sorry let me try that again..

 

[ATTACH=CONFIG]3426[/ATTACH]

 

still too small and cant be enlarged to read

[wise]

the way password resets are is they way it has always been done.

That does not mean the way it is currently done is the best way to do it. I would agree with the OP that the suggested change would be a security improvement - which is something I would think every whmcs user would want.

[easyhosting]

That does not mean the way it is currently done is the best way to do it. I would agree with the OP that the suggested change would be a security improvement - which is something I would think every whmcs user would want.

 

yes it would be a security enhancement, but it is not a major security issue as it is for every user, this is most likely why it is not high on WHMCS to do list. as i stated if you are using an email address on a domain that is secured by SSL and have a email secure SSL then emails are secure. it is only when you use free email addresses, gmail/hotmail etc that have their own security issues that this could be an issue.

 

this is how insecure these free email addresses services are http://www.techweekeurope.co.uk/news/yahoo-password-breach-88199 when it comes to passwords

Edited August 3, 2012 by easyhosting

[Seiya]

yes it would be a security enhancement, but it is not a major security issue as it is for every user, this is most likely why it is not high on WHMCS to do list. as i stated if you are using an email address on a domain that is secured by SSL and have a email secure SSL then emails are secure. it is only when you use free email addresses, gmail/hotmail etc that have their own security issues that this could be an issue.

 

SSL provides transport security and authentication. The major threats to email today are phishing, social engineering and other types of exploits that trick users into revealing their credentials. The attackers login to the SSL protected email accounts without any issues and the first thing they often do is look for password reset emails so they can begin exploiting other systems that the email account owner manages. For this reason, working passwords should never be stored in email. Read the link in the first post of this thread, there is a lot to learn about password security.

[BobC]

WHMCS issue patches as soon as issues appear.

 

Therein lies the problem. They wait for an issue to happen before it is fixed. Until it is fixed, every user of WHMCS is vulnerable. I believe in the method of prevention to begin with. I agree that this problem should be addressed quickly. That way, no patch needs to be issued to fix it.

 

the way password resets are is they way it has always been done.

 

If that was the standard, then why did we ever move away from DOS to the various other "operating environments" or operating systems (depending on the computer type)? It was always done on DOS (for PCs) so it should have stayed that way, right? Windows wasn't needed and, in fact, the Mac wasn't needed either, right? The Apple computer should have been enough since that was how it was always done.

 

The point is, email is not secure. Not everyone has the ability to use secure email either. Plain and simple, plain text is just not secure and that needs to be addressed!

[tkalfaoglu]

so lets all stop using Microsoft as they have had security issues ( do you think this will happen. i guess NO)

 

Actually, I have

Only using it for games. I wouldn't trust it for anything else.. -turgut