WHMCS.com hacked

[Spark]

I can't really agree on this, I'm not a big CC user myself (it isn't that popular in my country), but I don't think I can get access or get a pin number or anything just by supplying the last four digits. I might be able to answer some questions to block my card. To get something new, I first get a notice trough mail, then I need to show up at a local office with that notice + I.D.

Now a hosting company isn't a bank, so you don't have to show up somewhere, but I still think only confirmed channels should be used; registered phone/sms/physical or e-mail.

I do agree that WHMCS has been trying to lay off responsibility and that they're playing to be only a victim, but I do think HG could also do something.

I'm not sure if I follow you on the PCI requirements, couldn't they also just have used an outsourced provider, so they don't keep the numbers themselves? Then they would've been hacked anyway. The goal of this hack wasn't the CC info I think.

Things sound a bit different in your country, where we live US... you dont have to go into a bank to make changes, you can call over the phone to speak with a live person, in which case they ask you a set of security questions, usually about 5 one of which being the last 5 digits of a card. It is the same when I use online banking... it asks me a set of security questions.

We do not and obviously cannot provide our ID when doing this... but yet we can cancel a card, order a new one, transfer money, change password, doesnt matter.

This isn't just US banks either... here is another great example since this is concerning a merchant... most merchant account providers do not have a physical location where you can just stop by to show ID, in most cases they are on other side of the country... they all rely on security questions for authentication. Which most likely why the rule is in the PCI compliance requirements in the first place to have secure questions and answers that could only be known to the account holder.

Hosting companies are no different, they ask a set of security questions all of which the attacker on WHMCS had the answers for, so obviously they were crap security questions which is violation #1 of PCI compliance requirements.

The second rule to PCI compliance that was violated is on any system holding card holder data, you must change the passwords after a vendor is done doing any work they are tasked to do even if they are a 24/7 vendor it specifically states they should not have 24/7 access. In this case the vendor is their hosting company. If they had followed PCI compliance the vendor (Host Gator) would have never had the password to give out in the first place.

This attack would have never been successful if they had followed the PCI requirements.


All this does is make you wonder how many other PCI violations do they have since they are violating such basic and obvious rules.

 

[Spark]

This is not related to the fact that WHMCS was hacked, but today WHMCS released a security patch: http://www.webhostingtalk.com/showthread.php?t=1159268

Check this out: http://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/

Seems said exploit has been out for 4 months... now I find it interesting the words used in WHMCS latest announcement about the security patch:

And so we are releasing an immediate patch before the details become widely known.

Hmm odd seems you are 4 months behind for a statement like that

The events of last week have obviously put a lot of focus on WHMCS in recent days from undesirable people.

They are probably right... but the two exploits were made and sold 4 months ago... has nothing to do with the attack or maybe it does and we are being lied too


Don't get me wrong my point here is not to bash WHMCS, we love and use the system, I am just losing faith in the ability to trust them on many different levels... security of their systems with cardholder data, and their announcements / what they tell the public... seems to me they are more interested in diversion.

Did I mention there is still a second exploit... I dont see them mentioning that or releasing a patch for that? or addressing or warning their users about that?

Here is the guy that released the code that allowed WHMCS to make todays patch...
http://seclists.org/fulldisclosure/2012/May/292

He leaked it from a private forum as you can see he states there is another one... why has WHMCS not addressed this other unknown security bug? why are they not auditing their code to find it? Why do they not have 3rd party code audits done, you would think this would be standard practice for a billing system.


Honestly now that the attention is on WHMCS... us whmcs users are going to be in for a nightmare of a ride because these are just the beginning until WHMCS gets their code audited.

 

[Spark]

my advice to anyone.. move your card holder data into a vault like service depending on your gatways... also password protect your admin folder with htaccess

 

[Spark]

I am almost afraid to install the patch... honestly I don't think their systems are secure even after all of this... I just dont have the trust that their files are not compromised, especially since another 0day is still floating around out there and who is to say that they didnt use this very one to re-hack the whmcs servers after they restored everything.