New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Possible Data Leak - HostDoc
This discussion has been closed.
Comments
Found in headers from a curl:
X-Server-Powered-By: Engintron
https://engintron.com
"with an additional micro-cache layer to significantly improve performance for dynamic content generated by CMSs like WordPress, Joomla or Drupal"
Might this help to identify the cause? This is a significant stack that focuses on caching. Looks like it uses APC + memcached. Could it be caching the dynamic data and returning it to other visitors when they hit the same URLs?
The cause is (most probably) the micro caching with Engintron:
If you curl and look for the "x-nginx-cache-status" header, then quickly curl again within a second you should see it turn from EXPIRED to HIT.
From what others have posted, I assume this is what happened - somebody logged in then another client was served the cached version of their dashboard.
Looks like a really simple configuration issue, hopefully it should be able to be resolved quite easily.
For sure.
We tried it on shared but you have to turn off basically all caching if there's cookies just to be safe.
Francisco
May very well be it.
@jar @MikePT When I first started doing cPanel hosting 2-3 years ago I used Engintron, had tons of issues with caching forums that would cause forum users to see others profiles. I would say that's definitely the issue. I think I disabled caching in Enginton completely but eventually dumped it because of some other smaller issues.
I gave up on engintron a few years back - just wasn't playing 'nice' with oscommerce stuff (WHM/cPanel VPS).
Oh dear! This is sad.
Hopefully HostDoc knows what the law says. I don't want to see HostDoc going down because of the big fines. This is not a small thing. It needs 100% focus.
Is just name, email and address. Honestly this is already leaked around, even in your domain whois... or in some hosting db dump. Nothing really sensitive.
Chill....
Tickets can have sensitive information. With the way caching works many sensitive things can be leaked that aren't just that. But yeah, your basic info is everywhere.
Nice find! I would actually be highly surprised if it didn't turn out to be that afterall given that just about everything else has been pinpointed as the cause (tawk, whmcs, cosmic rays etc etc)
The fact that it is also a very logical and likely explanation for the issue helps too
Well I mean... yeah if you put your password in the title of a ticket lol. But otherwise based on the info here is just titles.
Exactly this. Enough can be gleamed by what's leaking here to successfully use social engineering against the provider.
True, but generally not tied to a service in a way that could be used against you. I could give a stranger who lives on the other side of the country the keys to my house, and as long as he had no idea where I live I'd be safe. Imagine if I gave the keys to my house to someone random on my street..
I think it's safe to assume that only pages without specific IDs in the URL would have been leaked, unless someone started cycling through IDs. At least that can technically, although quite time consuming, be audited to see if any pages with IDs (product ID, ticket ID) were viewed by someone who hadn't logged into the matching account.
Here's an interesting quote from https://hostdoc.co.uk/privacy-policy/
Specifically, your personal data will be stored in accordance with the Payment Card Industry Data Security Standard
Never liked that piece of shit. :P
I'd love to see their PCI compliance cert.
Someone call the nurse the doc is out!
Did someone say, Nurse?
Looks like whmcs is back online and accepting signups and payments again.. does this mean it's fixed? What was the problem?
X-Nginx-Cache-Status: BYPASS
Cache had to be disabled and it looks to have been.
When in doubt, C4.
Blow it up and all problems will be gone.
This oughta go into some KB
Wait does this happen only on the computer where you logged in and logged out? Or your session is cached even after logging out and anyone can see those details not only on the computer you logged in?
So they can also see ticket contents not only the title? Yes sometimes there are sensitive info in ticket replies...
Correct. All someone needs to do is visit the client area and you will see the account and personal details of another customer who could be on the other side of the planet.
Possibly, if they visited a ticket page with a ticket id in the URL, but this is thankfully less likely and requires a bad actor to exploit, unlike the current issue where the system just indiscriminately offers up the details to anyone regardless of their motivation.
Very reasonable reply from Doc.
Hope its all sorted.
So the problem was tawk? If so, glad it's finally all sorted :-) I guess that means it's back to business as usual - nothing to see here.
/thread
Edit: and kudos to the Doc.