WHMCS Global Services - hacked and doing nothing about it

[Kian]

@bullten Let me try to put this in perspective for you taking as example a module that exists on the Marketplace.

There are 870 modules in the Marketplace. Let's suppose that they receive an update at least once every 2 months and that they're not so big, just 0.4 MB of scripts. We have 5220 releases that generate 2 GB of code to check yearly and that can fill 613.566 pages (28 millions lines). Okay it's not all made of scripts, there are also comments and empty lines but it's still huge. Lastly don't forget that there are modules that receive 40+ releases per year that have more than 2.5 MB of PHP code.

3 hours ago, bullten said:

Second someone said its impossible to verify codes.

It's was me. I said that it was virtually impossible. It's like to fight web spam made by bots or filter ddos attacks manually. I mean yeah, maybe you can even get good results (I did 😄 when I was young and stupid) but after few hours/days you realize that it is not a reasonable approach. Draining a lake with a bucket is possible but makes no sense.

Edited October 10, 2018 by Kian

[adamjedgar]

1. Two people get into a car. The driver is stealing it...in a legal sense, is not the passenger also comitting a crime? 

2. A person passes you in the street and offers a ridiculously cheap purchase for what is obviouly an unused new chainsaw. Are you going to convince yourself that by purchasing this saw you are not the recipient of stolen goods?

 

Saying "i take no responsibility for the actions of third party suppliers on MY website", carries about as much insulation as person no 2 in my above examples.

Edited October 10, 2018 by adamjedgar

[yggdrasil]

9 hours ago, bear said:

I'd say that's a bit much, the 5 million lines, but I know a guy that's incredibly good with it, and was eventually hired by Yahoo to manage databases and the queries that ran them. He'd have to configure a change to a live system to fit what they wanted, and was given a downtime window of something like 10 seconds to restart and it *had* to work. He once looked at a script for me that was roughly a hundred lines, and read through it once and knew the fix I needed, which he got right immediately, and wrote it on the fly.
They exist. 

He said he knows coders that can look at your code and understand it in 15-30 minutes. That is not how coding or development works. Its not the same to look at one file with 50 lines than a software with 100,000. The 5 million was an overstatement because my point is that it does not work like he assumes it does. You can absolutely not say that it will take 30 minutes per module. One module can be very simple, another very complex. Even simple modules will take more time like that. A module with 2 PHP files. Sure, but at least most modules I use are not composed of 2 files, and you can absolutely bet it will take more than the time mentioned to look at the code and more to understand what it does. This is not reading a book. Some code can also be completely uncommented or with no documentation, ask any developer that has to work with a messy code and he takes more time to understand what the whole thing than to actually fixing the bug. I know plenty of people hired now on Google and many other tech companies. None of them can do what he said. Some build softwares that are more complex than WHMCS today and even they take their time to fix even simple things when I report them. He is making it look like you can just hire someone and look 30 minutes at each module and problem solved. And what happens when a developer updates the module? Again 30 minutes? How about he updates it 10 times a week. How about doing that for 200 modules? Its just not realistic to expect WHMCS to verify the code from third party modules unless they charge for some sort of certification. And that would cause delays when a bug has to be patched or security hole closed, as now the developers needs WHMCS to certify the code back.

This assuming another company or developers even wants to share his code with WHMCS in the first place because its their intellectual property.

[yggdrasil]

8 hours ago, Kian said:

@bullten Let me try to put this in perspective for you taking as example a module that exists on the Marketplace.

There are 870 modules in the Marketplace. Let's suppose that they receive an update at least once every 2 months and that they're not so big, just 0.4 MB of scripts. We have 5220 releases that generate 2 GB of code to check yearly and that can fill 613.566 pages (28 millions lines). Okay it's not all made of scripts, there are also comments and empty lines but it's still huge. Lastly don't forget that there are modules that receive 40+ releases per year that have more than 2.5 MB of PHP code.

It's was me. I said that it was virtually impossible. It's like to fight web spam made by bots or filter ddos attacks manually. I mean yeah, maybe you can even get good results (I did 😄 when I was young and stupid) but after few hours/days you realize that it is not a reasonable approach. Draining a lake with a bucket is possible but makes no sense.

Exactly! But he assumes you can do this in 30 minutes...

[bullten]

Well I just gave an example of 30 minutes. 🙂 Anyway guys its beyond your imagination. You haven't received or seen support by companies. Who says code cant be decoded lol . Something you don't know that doesn't mean it doesn't exist 🙂

My best example is cPanel. You do some stupidity with your Linux server and its beyond the scope of cPanel still they will write in ticket "This is something not caused by cPanel but as a courtesy we will help you". They dint even build Linux why the hell do do that. cPanel is insanely stupid or they want to retain customer and provide best support in market.

 

[yggdrasil]

4 hours ago, adamjedgar said:

1. Two people get into a car. The driver is stealing it...in a legal sense, is not the passenger also comitting a crime? 

2. A person passes you in the street and offers a ridiculously cheap purchase for what is obviouly an unused new chainsaw. Are you going to convince yourself that by purchasing this saw you are not the recipient of stolen goods?

 

Saying "i take no responsibility for the actions of third party suppliers on MY website", carries about as much insulation as person no 2 in my above examples.

What are you talking about? Are you saying you are also legally responsible if someone spams from your server or hosts child porn? You didn't bother to answer any of my previous questions so please answer that one. Are you responsible for anything illegal done on the hosting services you currently offer?

How about a cell phone company? Are they responsible if customers are using the service to commit crimes? The answer to all of those questions is NO. You cannot shift personal legal responsibility to someone else, that is not how the law works. How about a friend hacking something using your Wifi connection without your knowledge?

Society would not work at all if you could just make a third party responsible for your personal actions. Each individual is responsible for his/her actions, not someone else. You need to show complicit cooperation with that party in order to commit that crime. WHMCS is not purposely promoting malware modules on their site. If that was the case, and they are doing it in collaboration with the malicious actors you would have a point. But that is not the case here.

Also, you seem to ignore what I said before. The modules in the market place are not hosted on WHMCS. Click on a module to buy or download a trial. You are transferred to the developers website. Its not WHMCS. WHMCS is not hosting or giving you those modules.

Your argument is as dumb as saying that linking to a malicious site from your website makes you legally responsible for the actions on the other site. The whole Internet is linked to everything else. Every single person would be responsible for something.

What WHMCS does in the market place is just that. A link to those modules.

[yggdrasil]

12 hours ago, bullten said:

Well I already posted in starting. Whenever is module is generated at some cost whmcs should verify its security to a certain level then encrypted or as per module developer whatever he wants and released. Atleast a common security measures have to be followed. We have a sensitive business. If we gets hacked data gets leaked or deleted then client may sue us. If they sue us we sue the other company. So better to be secured than being late.

Regarding your google analysis. You have anyone in google? Well I have and I know how their market actually works. So arguing on their store doesn't looks authenticate to me.

The way people are defending these things will say someday when WHMC actually gets hacked that WHMCS didnt develop PHP why should they take responsibility lol.

We need to look for betterment not follow legacy policies.

Great logic! So If I buy a $2.5 unlimited hosting plan from your company? Will you install WordPress for me? I also want it configured, and the plugins, and I also want you to fit my design, make my logo and then update my website every week, plus of course moderate all comments, including spam and make sure the ship is properly secured. I assume you provide all that for $2.5 because you don't have legacy policies and it’s all about helping the customer. I also expect you to completely safeguard my website, if it’s get hacked, like you said, I should make you liable legally. I do mention that I will install all sort of garbage PHP scripts that make nasty things, and I will just give out my passwords to anyone. But since its your service you are still responsible for what ever I do on the servers, since they are yours.

Is that all ok with you?

It’s ironic how people demand from others something they are not willing to provide on their own. You know exactly that everything I asked is not possible for that amount of money. You would be in fact losing money for each customer and no company is in the business of losing money if they want to keep the lights on.

Experience will show you the hard way if you are not willing to listen to others that have far more experience in the same industry.

Edited October 11, 2018 by yggdrasil

[brian!]

15 hours ago, adamjedgar said:

1. Two people get into a car. The driver is stealing it...in a legal sense, is not the passenger also committing a crime? 

depends if they know whether the driver is the legal owner of the car before they get in!

15 hours ago, adamjedgar said:

2. A person passes you in the street and offers a ridiculously cheap purchase for what is obviously an unused new chainsaw. Are you going to convince yourself that by purchasing this saw you are not the recipient of stolen goods?

shall we return from the bizarre world of your analogies to a more sane one...

3. i'm looking for a builder, so I look in Yellow Pages (either the paper version or Yell! etc) and choose a builder from all the adverts and listings on those pages... it turns out that he's no good and causes severe damage to my mansion.

in your world, Yellow Pages bear (some of) the responsibility for the damage - in the real world, it's my fault for employing that builder, and whilst I could sue the builder (as my contract is with him), there is no such contract, or responsibility, with Yellow Pages.

that is exactly Marketplace - they are not modules verified, hosted or sold directly by WHMCS... they are just listings - nothing more.

15 hours ago, adamjedgar said:

Saying "i take no responsibility for the actions of third party suppliers on MY website", carries about as much insulation as person no 2 in my above examples.

no it doesn't, because WHMCS aren't selling you any of these modules... you are following the links and you are the one making the decision to buy the modules...

at best, they have the responsibility to remove listings from the site when then know / reasonably suspect, there is a serious issue (which they have), but they're not here to hold your hand and promise you everything is going to be ok. 👶

maybe WHMCS need to make it clearer on Marketplace, but i've never been under any illusion what Marketplace is - and what it isn't.

[tap0le]

Man, this post seriously turned into a crazy debate. I honestly just wanted to share with the community and ask WHMCS to take the listings down for now. I'm honestly impressed WHMCS did take them down. 

Like @brian! said, they aren't liable for the modules or damage they may cause, but taking them down once they are aware is the responsible thing to do. And they did that.

[yggdrasil]

7 hours ago, tap0le said:

Man, this post seriously turned into a crazy debate. I honestly just wanted to share with the community and ask WHMCS to take the listings down for now. I'm honestly impressed WHMCS did take them down. 

Like @brian! said, they aren't liable for the modules or damage they may cause, but taking them down once they are aware is the responsible thing to do. And they did that.

Are they still compromised today? Maybe the developer regained control over his server/software already. If I understand correctly the modules themselves are not compromised but the hacker informed of a fake update which customers downloaded. Now, the developer company not informing its customers about this is a completely lack of integrity. Any company should email and inform their users the minute they suspect a breach, even if they don't understand what happened yet. I think that is even a legal requirement now under European GDPR regulations. Just a simple email does not hurt anyone and they could at least had informed that they are investigating the situation.

[yggdrasil]

12 hours ago, brian! said:

maybe WHMCS need to make it clearer on Marketplace, but i've never been under any illusion what Marketplace is - and what it isn't.

Because its common sense. You should not install software you don't trust on any computer. By that I mean phone, desktop and of course servers. I suspect some people think that hosting is some magic account somewhere in the air. Its basically just a computer running 24/7 and the same principles apply. Installing PHP files in your website, is installing software. Those files can do anything they want with the data and other files in that account.

This is what I give to people new to computer security. Maybe some folks here should give it a read and apply the common sense rules to their installations:

https://technet.microsoft.com/en-us/library/2006.05.reducerisk.aspx

Once they read that, they will understand how its impossible for WHMCS to be responsible for this.

Edited October 11, 2018 by yggdrasil

[tap0le]

11 minutes ago, yggdrasil said:

Are they still compromised today? Maybe the developer regained control over his server/software already. If I understand correctly the modules themselves are not compromised but the hacker informed of a fake update which customers downloaded. Now, the developer company not informing its customers about this is a completely lack of integrity. Any company should email and inform their users the minute they suspect a breach, even if they don't understand what happened yet. I think that is even a legal requirement now under European GDPR regulations. Just a simple email does not hurt anyone and they could at least had informed that they are investigating the situation.

The hackers didn't do anything to the modules, but they did reveal vulnerabilities in them. For instance, in almost all the modules, they fail to validate the php files, and they can be executed directly.

[bullten]

Man we also know what you are saying. We accept that its not possible as no one is offering. We also know the policies of different companies. We know everything. You are not one the one who knows all these thing. What I wanted to say was another business module. A business idea for WHMCS they can setup a basic security call at chargeable price. Meh leave it its useless to explain to someone who follow other company policies and happy with that. But I know something about you if you have been partner of Bill Gates then Bill Gates would have been working in Apple and I would have been proud user of MAC. Windows just sucks 😄 I am very clear to what I am saying. I don't need personal business or technical advice. 🙂

Also talent does exist if you don't know I cant help you in that.

 

[bullten]

Well I have a suggestion for you. Go to Amazon inventory management and see how they manage impossible task. Its a big job than your coding stuff. I like this impossible word so much. lol

[yggdrasil]

2 hours ago, tap0le said:

The hackers didn't do anything to the modules, but they did reveal vulnerabilities in them. For instance, in almost all the modules, they fail to validate the php files, and they can be executed directly.

Do you mean they fail to validate the user input? Or the remote download they pull? If the modules on their own are vulnerable, the developer should be notified in order to fix them. So far I had the impression the company was hacked, not necessarily the modules on the customer side. The modules on customers installations can be remotely modified or manipulated?

Edited October 12, 2018 by yggdrasil

[yggdrasil]

2 hours ago, bullten said:

Well I have a suggestion for you. Go to Amazon inventory management and see how they manage impossible task. Its a big job than your coding stuff. I like this impossible word so much. lol

Why are you comparing a company with 177$ billions in revenue and over 500,000+ thousands employees with a company like WHMCS that has maybe -10* employees and maybe less than -1$* million in renueve. * = I'm guessing but the point is your comparison is still ridiculous.

And by the way, you are wrong. Plenty of fake stuff slip into Amazon's inventory. Make your research, Amazon has a real problem with counterfeit products. Don't ever buy an SD card from them because its probably fake. Like you see, even a company of that size is not perfect and has its problem. If you think Amazon is checking manually every product that is sold on Amazon you have no idea how Amazon works. Tip = They don't, its all automated and this is why you can pass fake products, some are just scams and are only removed when multiple people report them.

[yggdrasil]

2 hours ago, bullten said:

Man we also know what you are saying. We accept that its not possible as no one is offering. We also know the policies of different companies. We know everything. You are not one the one who knows all these thing. What I wanted to say was another business module. A business idea for WHMCS they can setup a basic security call at chargeable price. Meh leave it its useless to explain to someone who follow other company policies and happy with that. But I know something about you if you have been partner of Bill Gates then Bill Gates would have been working in Apple and I would have been proud user of MAC. Windows just sucks 😄 I am very clear to what I am saying. I don't need personal business or technical advice. 🙂

Also talent does exist if you don't know I cant help you in that.

 

Why don't you start that company if you think its that easy and a viable business model? Start the company and service that certifies WHMCS modules and then also gives customers a guarantee that modules from their own store are secure and safe. Talking is easy, doing is another story.

Actually, you do need business and technical advise. A lot actually. ☺️

[tap0le]

59 minutes ago, yggdrasil said:

Do you mean they fail to validate the user input? Or the remote download they pull? If the modules on their own are vulnerable, the developer should be notified in order to fix them. So far I had the impression the company was hacked, not necessarily the modules on the customer side. The modules on customers installations can be remotely modified or manipulated?

They were hacked through the use of one of their own custom templates. All their modules are vulnerable, and all companies that use them are as well. There's no validation for running the code. (Not restricted to only be run internally by whmcs. It's a simple line of code you add to the php files to ONLY allow them to be called as the result of an action in whmcs. Most of their files in their modules do not include this validation.)  Almost all the php scripts can be called by a simple curl command from anywhere. Their client x template goes even further, and allows you to upload a php script and run it remotely.

[wp4all]

 

I was already disassembled like a pig, but this discussion is getting better.

Moment popcorn is over !!

 

 

Edited October 12, 2018 by wp4all

[bullten]

haha thats what I am saying. I am asking WHMCS to start something like this as they understand their software, modules lol. Also I have something for people who use "impossible" word in any way. "Things are impossible for you just because you don't know how to do it. "

If I need advice regarding business personally I will ping you buddy 🙂

[yggdrasil]

1 hour ago, bullten said:

haha thats what I am saying. I am asking WHMCS to start something like this as they understand their software, modules lol. Also I have something for people who use "impossible" word in any way. "Things are impossible for you just because you don't know how to do it. "

If I need advice regarding business personally I will ping you buddy 🙂

They don't start a service like that because THEY KNOW how software works. You clearly do not. This is why you suggest ridiculous things. I know enough to understand you are very young and naive and most likely don't understand what you are using or even selling. I suspect you don't even understand how hardware works either. And yes, you should get some advise. For example selling unlimited bandwidth is just scamming people because I'm sure there are no unlimited switches, routers or networks in terms of network speed ports or packets per second. With that alone on your website it means you know nothing about how networks or servers work, you most likely never even entered a data center before or build a rack full of servers. And you surely never developed software either, otherwise you would not be trying to argue things that are common sense for everyone else. 🙄

You don't like the impossible? Me neither. So why don't you donate a million dollars to WHMCS so maybe they can certificate the developers modules for us. Or let me guess? You think everyone works for $3 bucks the hour...Since nothing seems impossible for you, we should contact WHMCS since you will surely not have a problem coming up with that money to pay for the proposed solution, since nothing is impossible right? Sure not, just hard... 😄

Let me guess again? You are not paying for this 😭. So why are you asking WHMCS to pay for what you are suppose to do? Its your job to make sure you don't install crap stuff in your server, not WHMCS. Its your job to verify and certify the security of the code running on your systems or for your customers. This is exactly why I don't buy encoded modules in the first place. Because I do check a module (and some times fix it or pay someone) before running it. Its your job to do those tasks, not WHMCS or anyone else. If you don't trust the developer of a third party module then don't buy the module or just do your own job making sure its secure before installing it. If you can't do that, then you need to blindly trust the developer but don't try to pretend WHMCS should be responsible for doing your work because you are lazy or just don't want to pay someone to do it. There is no free launch in the world, wake up and smell the coffee, WHMCS is not going to do this for any third party software ever. Its not their job and they are not responsible for what you do with your WHMCS installation.

Edited October 12, 2018 by yggdrasil

[wp4all]

Need more Popcorn 🥡

[bullten]

We do provide unlimited bandwidth to 1gbps 🙂 I am again telling you we also know there is nothing like unlimited lol. Its just something which lure a person to go for service 😛

Between to make something clear Bullten was build as a subsidiary for another company which you will never find in google claiming it.

Man if I had million of dollars why would I be using WHMCS? lol

Yes you are very right I was very young at the time when I went for a funding and I took a word "impossible" to explain something. That time I was sent out of the room without additional conversation and later I was told by the "Investor" that "Impossible is something you don't know but it is possible for someone else. So I will better look for someone who have the possibility to make it possible regardless he fails too"

Man I am not saying WHMCS to take whole responsibility. Basic security parameters....grrr. Hard to explain you but believe me or not you need to look into the world and see what amazing things people are doing.  Explore the world then we will have conversation with that. I am paid to explore around, fall into conversation and learn things. I can argue with you 24x7 if you want to 😛

You cant convince me for it because I am very clear to the point I am talking. Its impossible for me to convince you because I know at what points you are talking. i do understand everything but still its not "impossible"  🙂

Edited October 12, 2018 by bullten

[yggdrasil]

43 minutes ago, wp4all said:

Need more Popcorn 🥡

I'm not trying to be mean but realistic. It does not help WHMCS as a company unless its a valid and workable solution. Not only do some people here think that WHMCS should be responsible for the security for modules in the marketplace but even check the code on them to make sure they are not doing anything nasty which is very unrealistic even for a huge company. Having the options to have modules in WHMCS is already a great feature and I think one of the reason some people pick WHMCS is because of the extensive eco system of third party modules and integrations. This is a big up sell for WHMCS as you can complement missing things with external code. Instead of appreciating that, they think that WHMCS should somehow interfere with external third party developers, something I fully disagree, not only because its bad for the WHMCS ecosystem but also an expensive and time consuming task for a small team like WHMCS. I think they have more than enough work already with maintaining their own official modules and bugs on the core to focus on things they didn't build.

Its like trying to make Amazon responsible for software you buy with them. Amazon has a huge gazillion of downloadable items, and like with any software, some have serious bugs and security issues. But nobody in their right mind would blame that on Amazon but the official developer/company that is making the software. Same is true for the app store, the PlayStore and just basically anything else you buy online, tangible or intangible products. Even if WHMCS charged directly for those modules and the download was on their website, (which is not even the case today), even so they would not be responsible. The best they can do is remove the listing until its fixed.

[yggdrasil]

1 minute ago, bullten said:

Quote

We do provide unlimited bandwidth to 1gbps 🙂 I am again telling you we also know there is nothing like unlimited lol. Its just something which lure a person to go for service 😛

It’s not unlimited, it’s called unmetered. If you have 1 Gbit/s link, then you can’t offer unlimited bandwidth. Just like you said, it’s to lure people to hire you, but do you state in the offer the speed is limited? Speed limit = Limited amount of transfer per month = Not unlimited.

If your company has a 1 Gbit link you can’t push more than 320 TB a month in total. So not really unlimited is it?

Your offer is dishonest as someone without knowledge will understand that he can push unlimited transfer per month which is not really the case. And I’m sure you put unlimited everywhere without trying to explain the real limits…

In my book that is just trying to get money from people that don’t know better and are not tech savvy. If you look up Wikipedia * is defined as “A confidence trick (synonyms include con, confidence game, confidence scheme, ripoff, * and stratagem) is an attempt to defraud a person or group after first gaining their confidence, used in the classical sense of trust. Confidence tricks exploit characteristics of the human psyche, such as credulity, naïveté, compassion, vanity, irresponsibility, and greed.

Guess which one you are exploiting by asking money for something that does not exist? Trust me. In the future there will be some laws against this, in think in some countries ISP can’t advertise unlimited bandwidth anymore.

Quote

Between to make something clear Bullten was build as a subsidiary for another company which you will never find in google claiming it.

I don't plan either. I just looked your website for 30 seconds and closed it after I spot "unlimited" like anyone looking at hosting services seriously.

Quote

Man if I had million of dollars why would I be using WHMCS? lol

Because developing a system like WHMCS will cost you more than one a million dollars. WHMCS is in the developing for years.

Quote

Man I am not saying WHMCS to take whole responsibility. Basic security parameters....grrr. Hard to explain you but believe me or not you need to look into the world and see what amazing things people are doing.  Explore the world then we will have conversation with that. I am paid to explore around, fall into conversation and learn things. I can argue with you 24x7 if you want to

We agree here, you can cure ignorance by travelling.

Quote

You cant convince me for it because I am very clear to the point I am talking. Its impossible for me to convince you because I know at what points you are talking. i do understand everything but still its not "impossible"  🙂

 

I will not anymore because I have no idea what you are talking about at this point. Like I said, WHMCS cannot check or certify the code on third party modules. So what you ask is just nonsense for a small team of developers like WHMCS. I'm not sure to what security parameters you are referring either. PHP files in your server run PHP code, they can do basically anything on your server at that point. If the developers are not using the proper API or tapping into things directly, there is not really anything WHMCS can do to protect you from third party modules & code and to be honest I don't think anyone wants that. If that was the case you would not have the modules you have now, they would be severely limited into what they can do. Not something developers want and neither WHMCS customers. In fact, people like me want the opposite. I want more openness, just like Microsoft is open sourcing some of their software and patents, embracing Linux, and the rest of the world is also heavily collaborating with open source, I want WHMCS to offer more non encoded files (not open source their software just open code), and make it more accesible and visible for developers.