WHMCS Global Services - hacked and doing nothing about it

[tap0le]

WHMCS Administration: Please remove all WHMCS Global Services' modules from your marketplace.

About a week ago, WGS sent out an e-mail telling it's clients to run a php script to patch an issue with their license server. It ended up not being from WGS. It was a hacker, who had gained access to their system.

WGS' client database has been leaked, along with their creditcard hash, and instructions on how to hack ANY host which uses "ClientX" theme. It includes a list of the hosts which use this theme. License servers have been down as well for WGS, so if you are paying for their modules, you can't use them anyways.

Here are some pastes which show the hackers' activity,  WGS response, and a timeline for this entire event.

<removed from community by moderation team>

Please, any hosting companies that use their services, delete the  modules from your system. You are at risk.

[tap0le]

Really, you're going to remove from my comments and give no notification or acknowledgement of this? I should've figured you don't care about your users either WHMCS.

[tap0le]

The first link i gave didn't actually disclose any sensitive information, and honestly the community has a right to know. Anyone who wants to know more, just conact me. I'll share what WHMCS is censoring.

[bear]

It gave database info, encryption hash and more. I'd call that sensitive. Offering to provide links, publicly or privately shows a disregard for causing further harm.
The fact they've allowed the thread to remain (with links removed) should be evidence enough they agree it's important enough to leave publicly visible. Removing the links (especially the second one) shows they would like to try and reduce the amount of damage this causes to innocent third parties and the company that created the flawed products. 

Information is good, punishing the people behind the problem is not. 

[tap0le]

My mistake, I didn't realize the first link contained that info. I went back and checked and see that it did include WGS' config file. I agree, their clients should not be put at a deficit due to their poor security. I am one of their clients. I understand removing the link, but the standard courtesy is to notify that you've modded someone's post.

I do feel that all their modules should be suspended from being sold in the marketplace, as they are still vulnerable.

For the record, I don't support how the hackers handled this. They should never have exposed private information or dumped databases. They should've given the information to WGS, waited a period of time giving them a chance to rectify, and released the information on the vulnerabilities to the public and nothing more.

[wp4all]

There was already a post on the Hacked day and it was closed totally instead removing the Link.

I was wondering that this post was just modified and not closed .

There are still a lot of listed domains using WGS addons, I am not sure if it is not clear that anyone can board their site.

Just my 5ct

[bullten]

Well few days back we opened a same thread but whmcs closed it intentionally. We pay monthly for whmcs and whmcs doesnt want us to discuss anything about the issue with third party addons that it may cause it to the users. Wondering where is cpanel who will come in and give us their thought about taking down unsecured addons or charging some amount to addons developer for security examination of code. Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

I remembered the day when a hacker from localhost.re released whmcs exploits for sql injection and it all users were effected. Now is see whmcs is listed on https://www.hackerone.com/.

Modules developers can do the same by registering on https://www.hackerone.com but they doesnt care. What they care is all about maximum earning. Security word doesn't exist in their dictionary.

Second, till now WGS havent sent any email about nature of hack because still they dont understand how it was done and they provide managed linux administration. Also according to their activity they just changed their server and sent a new patch to users of clientx themes after the hackers sent an email containing the explained exploit.

Now hackers got all their modules and they will start to render each code and I am sure their are many security loopholes and next time they wont send an email to module users. They will directly hack the site and do whatever they want ( ask money, delete data, access server, delete server, etc) because they already warned module users not to use it any more.

Between we stopped using one of their module we had and looking for some trusted alternative.

 

[Remitur]

Just my two cents (I'm not involved, and I have no modules from WHMCS Global services): the only good hacker is a dead hacker.

In previous posts I've read crazy and crazy phrases.

There's a security issue, and want to discuss about it? Create a close group (wherever you want, it's your choice) and discuss about it privately: discussing about it publicly is madness.
When the security issue will be closed, then will be the time of public posts and comments... 

 

[brian!]

19 minutes ago, bullten said:

Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

no it isn't - the listing may be authorised (that can't be denied! lol), but certainly not the addon itself - there are no checks on the coding by WHMCS, and they are definitely not vouching for it.

https://marketplace.whmcs.com/help/marketplace#question28

Quote

How are add-ons reviewed?

We review and approve all new listings in the WHMCS Marketplace to ensure that add-on information is as complete as possible. However, we do not monitor, review or provide any assurances about the quality of code contained within any add-ons or extensions. If you find dangerous or malicious code posted here, please report it to us.

I would be astonished if WHMCS ever got to the stage of charging for listings in Marketplace, and/or validating code before listing - they simply won't have the staff levels to do the latter, nor would I expect them to have even the remotest inclination to do it.

Quote

Can I trust third-party add-ons?

The WHMCS Marketplace is designed to give you visibility to see if an add-on is reliable. All listings provide the following resources to help you make informed decisions about the add-ons you install and use. Reviews and ratings from other users. See if compatibility is kept up-to-date with the latest version. Changelog tab allows you to see if the developer is active and regularly providing updates. Review screen shots and other information in the listing description.

 

[Kian]

41 minutes ago, bullten said:

We pay monthly for whmcs and whmcs doesnt want us to discuss anything about the issue with third party addons that it may cause it to the users. Wondering where is cpanel who will come in and give us their thought about taking down unsecured addons or charging some amount to addons developer for security examination of code. Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

Edited October 1, 2018 by Kian

[bullten]

1 minute ago, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

Well the example is not the one we expected to be. Good luck with your Ferrari. lol

ok the point is we know one thing we provide linux administration of service. We cant focus on security of whmcs or its addons or start coding our own. Someone have to come in and take its responsibility. We pay and get the service. We are not using it for free

[Remitur]

3 minutes ago, bullten said:

ok the point is we know one thing we provide linux administration of service. We cant focus on security of whmcs or its addons or start coding our own. 

Maybe you've choose the wrong job. 😉   

 

[tap0le]

8 minutes ago, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

[tap0le]

1 hour ago, Remitur said:

Just my two cents (I'm not involved, and I have no modules from WHMCS Global services): the only good hacker is a dead hacker.

In previous posts I've read crazy and crazy phrases.

There's a security issue, and want to discuss about it? Create a close group (wherever you want, it's your choice) and discuss about it privately: discussing about it publicly is madness.
When the security issue will be closed, then will be the time of public posts and comments... 

 

I completely disagree. Once it's fixed it's rather too late. How will potential victims know NOT to use said software?

Also, the hackers' methods were awful, but it's much better to know then not know. Hackers are necessary. I've paid hackers to hack our site. But security researchers follow ethical boundaries, which these hackers did not.

Edited October 1, 2018 by tap0le

[bullten]

I have a video for fellow community members 🙂

 

 

[Kian]

9 minutes ago, tap0le said:

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

Hardware stores sells ropes. People commit suicide by hanging themselves with ropes. Hardware stores are murderers.

I'm exaggerating things on purpose to make a point. How can WHMCS be partially responsible? They're responsible or not. It's black or white. It can't be gray. Their only role in the story is that they presented you WGS that happened to be hacked.

This whole story reminds me of Apple & Android with their stores full of millions of Apps. Not even Google and Apple can verify them but we install them not even thinking about security. When something bad happens people start accusing Google & Apple for not making the impossible (checking every single line of code of every App ever released). What's next? Counting grains of sand?

1 minute ago, tap0le said:

Hackers are necessary.

I don't want to start an argument about the right use of terms but this guy is not an hacker, he's a cracker. No ethics involved here but the usual disgusting side of internet.

[brian!]

49 minutes ago, bullten said:

Someone have to come in and take its responsibility.

the responsibility lies with you - not someone else... ultimately, the market will decide.

44 minutes ago, tap0le said:

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

but WHMCS doesn't sell you any third-party addons via Marketplace - only their own.... the rest are just links to developer's sites... you could get to most of them via Google if you know what the addon is called.

if WHMCS had the responsibility for addons offered through Marketplace, I don't for one minute think they would keep it open - they created Marketplace (as an updated version of the old App Store) as a convenient one-stop place for addons, and I daresay to have some control over their selling - and i'm talking about control in the sense that if they hadn't created Marketplace, someone else would have created it.

23 minutes ago, tap0le said:

I completely disagree. Once it's fixed it's rather too late.

but that's exactly how WHMCS fix their own security flaws when they find out about them - they get resolved via a security update and then WHMCS provide a very brief summary in the changelog.... for very obvious reasons, they wouldn't allow a public discussion here before a fix was in place.

[tap0le]

3 minutes ago, brian! said:

the responsibility lies with you - not someone else... ultimately, the market will decide.

but WHMCS doesn't sell you any third-party addons via Marketplace - only their own.... the rest are just links to developer's sites... you could get to most of them via Google if you know what the addon is called.

if WHMCS had the responsibility for addons offered through Marketplace, I don't for one minute think they would keep it open - they created Marketplace (as an updated version of the old App Store) as a convenient one-stop place for addons, and I daresay to have some control over their selling - and i'm talking about control in the sense that if they hadn't created Marketplace, someone else would have created it.

but that's exactly how WHMCS fix their own security flaws when they find out about them - they get resolved via a security update and then WHMCS provide a very brief summary in the changelog.... for very obvious reasons, they wouldn't allow a public discussion here before a fix was in place.

You are all missing my point. I'm not saying they are responsible for the addon. I'm saying they have a responsibility to the community to remove content once it has been brought to their attention to cause mass harm. I'm not saying they legally have this responsibility, but ethically.

As for disclosure: The difference with WHMCS is they actually fix their security holes. When it actually comes to their software they are on top of it. Like i said in my first posts, the hacker should make aware the party in which they hacked, give them time to fix it, then release the info on the vulnerabilities at a specified time whether or not it's fixed.

This is how the industry works. It's standard practice.

 

[tap0le]

 

12 minutes ago, tap0le said:

As for disclosure: The difference with WHMCS is they actually fix their security holes. When it actually comes to their software they are on top of it. Like i said in my first posts, the hacker should make aware the party in which they hacked, give them time to fix it, then release the info on the vulnerabilities at a specified time whether or not it's fixed.

This is how the industry works. It's standard practice.

 

Edit: I realize I said something that conflicts with this, saying once it's fixed it's too late. I didn't mean that. I was getting frustrated and that just came out.

[brian!]

8 minutes ago, tap0le said:

I'm saying they have a responsibility to the community to remove content once it has been brought to their attention to cause mass harm.

that assumes that posting here counts as 'bringing it to their attention'... I suspect suspicious modules would have to be reported - otherwise they'd just be reacting to hearsay.

14 minutes ago, tap0le said:

When it actually comes to their software they are on top of it.

that's the best laugh i've had in a while.

[tap0le]

7 minutes ago, brian! said:

that assumes that posting here counts as 'bringing it to their attention'... I suspect suspicious modules would have to be reported - otherwise they'd just be reacting to hearsay.

that's the best laugh i've had in a while.

Well I guess I'll look for instructions on reporting them.

Lol i didn't mean they are on top of their software as a whole, just the security aspects of it. Usually.

[brian!]

1 minute ago, tap0le said:

Well I guess I'll look for instructions on reporting them.

I just think it's safer to assume that posting here does not equate to telling WHMCS.... chances are they already know about the WGS situation by now, but I don't know if they know (if you see what I mean!) 

5 minutes ago, tap0le said:

Lol i didn't mean they are on top of their software as a whole, just the security aspects of it. Usually.

by definition, we wouldn't know whether they are or not - we'd only know about flaws if either they, or someone else, told us about them.

[bear]

On 10/1/2018 at 7:57 AM, wp4all said:

There was already a post on the Hacked day and it was closed totally instead removing the Link.

It wasn't closed, it was removed from public view. I'd have to assume the knee jerk reaction was to get the damaging details off the public community quickly, without reading for content. Maybe. Each community moderates in their own way. 🙈

[WHMCS John]

Hi all,

We are aware of the recent compromise of the 3rd party development company "WHMCS Global Services" and are monitoring the situation to determine what actions are appropriate for the modules and addons provided by them.

At its core, the WHMCS Marketplace is a community driven service with reviews and ratings allowing users to share their experiences, both good and bad with the modules available within it. While we review and approve all new listings in the WHMCS Marketplace to ensure that add-on information is as accurate and complete as possible, we state in our FAQs that we do not monitor, review or provide any assurances about the quality of code contained within any add-ons or extensions and that installation and use of modules obtained via the Marketplace is done so at the users own risk.

[wp4all]

20 hours ago, bear said:

It wasn't closed, it was removed from public view. I'd have to assume the knee jerk reaction was to get the damaging details off the public community quickly, without reading for content. Maybe. Each community moderates in their own way. 🙈

Rarely never read such a contradiction. This is a community for the WHMCS community WGS offers 3th party modules for just this software. What could be closer to the customer than bringing the information here?

Nothing was presented which WGS had already reproduced in their Blog or was already readable in the net.

In generally I hate censorship and accept it only when it makes sense.

In this post the Links where deleted and on the Post before it was made inaccessible to the public what a a contradiction.

Just to think about it, the information was still listed here in the community especially before WGS had informed its own customers. Alone that already says how important the community is here and it is also used.

@bear in other community Post it was possible to delete just the link and not the whole Post ?

http://www.webhostingtalk.com/showthread.php?t=1731675

But you can see it has nothing changed, whether it's cpanel, WGS or WHMCS itself.

cover of silence

On 10/1/2018 at 4:36 PM, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything.

WHMCS has a damn duty to inform its customers about possible damage.

I Agree totally that no one can  desire that WHMCS has to proof every single Theme, Module or Addon but you have the duty to inform your customers about possible damages even more if you know about them.

On 10/1/2018 at 4:36 PM, Kian said:

and isn't obligated to do anything.

It can not be to sit down and say hey it's not WHMCS I do not care.

Then WHMCS should not even appear to have something to do with it, if they wants to distance oneself in hindsight.

 

 

Call it collection of unaudited addons suitable for whmcs 😉 and remove your Brand .

 

For this entry I am ready to receive my first warning.

P.S. I like the Frog - Story think about it.

Sorry I'm not the native english speaker so sorry for my grammar and expression.

Greetings from Germany 

Christian