New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Sure, every product has its quirks. But we're not talking about minor bugs here; we're talking about an alleged wide‑open security hole that anyone could exploit with ease. And yet, of the thousands of Virtualizor customers, only one has had this gaping hole exploited? Hmm.
Interesting claim. Let's revisit the facts:
Except Softaculous never said that. What they did do was repeatedly request evidence of the supposed exploit, via logs, traces - anything at all. None was provided. Not a single byte. So tell me, which part of that looks like "professional disclosure from start to finish"?
What we're really seeing here is a group of children playing games with people's data on the internet, and then making bold, unsubstantiated claims in public to try and wipe their behinds of the stain they've left when they've been caught with their pants down.
Funny, that. A respected consultancy with a long track record is backing Virtualizor here. Virtualizor's getting a lot of unjust hate without any valid proof, cause or reason.
Multiple hosts have been hacked this year and the common factor has been that they all used Virtualizor and the WHMCS addon, which OuiHeberg claimed was the vector.
I'm personally sitting on a Windows Defender bug that is so serious I can't drop it publicly. The complexity is extremely low, and the only remediation is to reinstall the OS. I can't say anything more about it because it's not hard to discover with the smallest clues.
I reported it to Microsoft's bug bounty, they confirmed the issue and then said it doesn't qualify for a payout so I should report it through a different channel.
I told them I'm not reporting it twice, they've already reproduced and confirmed the issue so they can forward it on themselves internally because I'm not wasting any more effort when there's nothing in it for me. 6 years later, the bug is still there and still unpatched.
So, yes, very serious bugs get left in the wild all the time when the vendor doesn't play ball. But you will believe what you will, and that's fine because we all make decisions based on our own experiences and judgement.
@ouiheberg
Any news, preferably backed up by data or a credible well reputed ITsec third party?
They've probably got bored and given up. But if you want to pay for the "well reputed ITsec third party" then you're welcome to offer to help them.
After all, reporting bugs takes time and effort, which is rarely worth doing unless you're either being paid, running a charity or absolutely desperate to keep the software for whatever reason.
It's a bad look leaving us all hanging though. If there's an actual issue please communicate it up the line and save the next guy from getting jacked.
But pointing at a third party and calling them responsible requires credible evidence.
Also, why do you try to put the burden on me? It's in @ouiheberg's own - and in their customers' - interest to find out the real problem.
No, it's really not OuiHeberg's issue. They tried to engage with the vendor, and responsibly reporting security bugs is the reporter doing the vendor a favour rather than the other way around.
I'm also not putting any burden on you. I'm simply pointing out that engaging a 3rd party is an expensive business, and it's certainly not worth doing just to score internet points.
Everyone will make their own judgements about what's happened here, but if OuiHeberg have abandoned their reporting efforts, (both to Virtualizor and the LET community), it'll be because they've decided it's not worth their effort compared to what they stand to gain/lose from doing/not doing so.
That's perfectly sensible and aligns closely with their behaviour illustrated in this thread.
That's where I stopped reading. Have a look at this thread's title.
Btw, my interest is neither accusing nor defending @ouiheberg, it rather is to (a) see the problem behind the security breach solved plus shown here, and (b) to see ouiherberg update the community.
And that's why you've come back with such an ignorant response. But thanks for letting me know so I know not to bother engaging further.
or they "dediced" it was not virtualizor bug, was theirs, and to avoid the shame, they went silence mode.
if we are just making assumptions, we can do any.
This comment is absurd given the fact that @Virtualizor is open and willing to review the issue with the provider, and the provider was responding daily, sometimes multiple times daily, during their recovery efforts, yet now the provider has gone silent.
So either:
Reminder, it was OuiHeberg who said they would provide the POC and then vanished from this forum.
Can you explain how you believe OuiHeberg did Virtualizor any favors here? It seems like they drug them through the mud without any evidence..
Yes. Exactly that. There's settled truths, which both sides confirm, and the rest has been left to each person to form their own opinions and assumptions. And it'll stay that way unless OuiHeberg returns to provide more context
The assumptions I've formed are based on my previous experiences reporting security issues to vendors, which I'm happy to admit has negatively biased my outlook in favour of the reporter.
Others will form different opinions and make different assumptions, but the only reason I've even shared a detailed take is in response to a direct question about why I will personally avoid Softalicious products.
You know what would stop us having to make assumptions?
DEALS
Sorry, got carried away. I guess you wanted to hear "the truth".
From what I've seen, they cried foul but never provided any evidence that there was a bug.
What is this word?
At a guess, someone who's not a native English speaker making a single character typo, replacing one character with the one next to it on the keyboard. "deduced" fits perfectly in what he wrote and didn't take me much effort to deduce.
I interpreted this as "decided", but your explanation makes more sense.
Regardless, @ouiheberg hasn't logged in since November 25th (one day after Virtualizor claimed they still haven't received anything), so I doubt they'll respond anytime soon. It's a shame because if they've failed to produce reasonable evidence that supports their hypothesis, they should just own up, apologise, and move on. Shit happens, especially in critical situations like this.
Edit: Spelling errors
There seems to be some misunderstanding here about what's been said in this thread.
I didn't use AI, (and I'm writing this on a phone whilst waiting to board a plane), but I think the summary below is a fair and neutral description of the salient points:
OuiHeberg announced that they'd suffered a security breach on their Discord, (in French), and a translation was posted here.
OuiHeberg then joined the discussion here and claimed to have confirmed a bug in a Virtualizor plugin. They said their internal team had been able to reproduce the issue using the payload used in the hack and that they had reported this to Virtualizor.
They also claimed that Virtualizor had denied any responsibility and asked them to keep it quiet to avoid causing them "brand damage".
Virtualizor has consistently denied any responsibility, from the very outset, even when that appeared to be a premature response. They later acknowledged that they had received a report from OuiHeberg but couldn't reproduce the issue.
OuiHeberg said in response that they'd provide further proof, including a video. They don't seem to have done this and they also haven't returned to LET since.
On the 3rd of December OuiHeberg announced to their clients on their status page that they've completely removed Virtualizor and migrated to VirtFusion: https://status.ouiheberg.com/
On the 8th of December Virtualizor said that they haven't received any further communication from OuiHeberg and therefore they are confident their product was not the vector for the hack.
Coming to the points of speculation and assumptions....
I've done a LOT of responsible disclosures myself, and I've encountered many obstructive vendors along the way, so my intuition told me that OuiHeberg had just given up attempts to report the issue and moved on.
That assumption appears to have been confirmed by the fact that OuiHeberg are no longer using Virtulaizor and therefore have no further incentive to continue the communication.
Virtualizor are welcome to claim that their product is secure because the reporter abandoned the disclosure process, but OuiHeberg seem to have been convinced enough to do the work, (and accept the cost), of removing it in an effort to secure their environment.
Personally, having seen how Virtualizor handled this alleged issue, I won't be risking my PII anywhere near their products...and I can completely understand why OuiHeberg has ghosted them now that they're no longer using their product either.
Others will form different opinions and take different actions, but my own conclusion from this is that OuiHeberg's actions have been consistent and credible whilst Virtualizor's have not been.
Yeah, could easily be that too.
But he used quotes, which I took to mean it was slang or something. With quotes, he's implying some other meaning.
Without the quotes, "decided" makes sense.
When it comes to disclosure, I don't believe ghosting is at all understandable, even if the vendor is being obstructive, just send them the proof so the ball's in their court.
Especially when they publicly pointed at Virtualizor for the vulnerability.
Ghosting both them, and the forum where they made the claim, to me strongly points to @ouiheberg having cried wolf, and not having the humility to admit it.
If they do have proof and Virtualizor for whatever reason isn't taking it seriously, then they should just release it publicly.
I'll personally keep my PII far away from them.
your data wasn't compromised, only affected customers received email and a apology postcard
Security settings seem to have now broken VNC on Virtualizor
"dediced", "c" and "d" keys got hit out of order, that's what it his. Kyebaord malfunction perhaps.
Or maybe, just maybe it is INTENTIONAL, perhaps you're looking at a CLEVER amalgamation of two words "decided" and "deduced"
Who knows?
@TimboJones - @ralf
@stable_genius
yep, not a native speaker here, so i make many mistakes when writting. thanks for understanding
what i wanted to say was "decided", was a typo.
for some context, was replying to this "they've decided it's not worth their effort " with that the provider after directly pointing to virtualizor, decided to go silent mode when asked for proof of the issue.
Is this the same thing that was happening in the recent Cloudcone etc attacks?
Almost certainly. At least @ouiheberg were convinced enough to remove Virtualizor from their environment.
Wow, if that's the case I feel like Virtualizor could be in some serious legal trouble
Nobody actually knows. OuiHeberg ghosted both this thread and Virtualizor, so unless they decide to speak up, everything is pure speculation.
Same thing with ColoCrossing. Their little whoopsie was largely covered up, and yet, they're still running Virtualizor in production for their VPS. Any information you see is again speculation, until/if ColoCrossing ever come clean. But one would like to think that ColoCrossing would have switched to a different panel by now had they found a vulnerability in the product.
What we do know is that Softaculous (Virtualizor's parent) had a security incident in 2024/2025 after some screenshot‑grabbing software on support workstations got compromised. It’s highly likely - though still speculative - that the whole shebang traces back to that. Low end host = low end priorities, and frequent password cycling isn't top of the list.
Until Virtualizor, Rack911, OuiHeberg, ColoCrossing or CloudCone release something concrete, nobody has a clue and we're all chatting theorisms.