I recently signed up for – and promptly dumped – Host Gator. The QOS (Quotient of Suckage) was off the chart but in this post I’ll focus on a surprising security exposure that was revealed in the process.
In order to request an SSL certificate for a new Host Gator account, you are required to fill out a form and include your account ID and password. They presumably have root access to the servers they host so it isn’t clear why they need this. As a rule, you should NEVER need to provide your ID and password to a vendor. But you can’t get the certificate without it so I entered it as requested. If Host Gator’s process had proceeded normally, that would have been the end of it. I’ve have received my SSL certificate and been none the wiser of the back-end security snafu.
HostGator uses the name servers at websitewelcome.com in Carrollton TX to host some of the Customer Support infrastructure, such as the server that accepted my SSL request form submission. The form submission results are then transmitted from the servers at websitewelcome.com to the back end servers at hostgator.com in Houston TX using email. In plain text. With the full credentials from the form submission enclosed. It isn’t clear who runs websitewelcome.com and it may be that it is a wholly-owned subsidiary of HostGator. Or not. The domain is privacy protected so we have no idea who it is that has your credentials. In the best-case scenario that it is HostGator behind the curtain, they are still emailing your credentials around where we can assume that they then sit in SMTP server logs for at least the required 7-year retention period.
First advice out of this: The requirement to change your passwords often doesn’t make sense if the threat it is supposed to mitigate is some hacker who is likely to use it as soon as it is obtained. If they have it, they have probably used it. But to mitigate against the threat of vendors who are careless with your data, changing your password every time you are forced to disclose it is essential.
This email transmission of passwords between what we hope Host Gator’s back end wouldn’t normally be visible to a customer like me. In this case though, it seems that websitewelcome.com has self-imposed a 500 emails per hour quota and managed to exceed it. Since the email was created with my address in the Reply-To, the bounce message came to me, along with the values in the form I’d submitted. This is the error message I saw:
Domain websitewelcome.com has exceeded the max emails per hour
(500/500 (100%)) allowed. Message discarded.
As if having my request discarded outright wasn’t bad enough, as I scanned down the email I eventually found the form contents that I’d submitted, complete with ID and password. By virtue of the email having passed through the SMTP servers at my current hosting provider, and their spam protection vendor, these are now exposed to potentially hundreds of people. Since my spam protection provider doesn’t support SMTP over TLS, the emails are potentially exposed to anyone sniffing the traffic between my email server and Host Gator. (Hello, NSA, Prism!) I immediately changed my password.
In the masthead of their web site, Host Gator proudly proclaims “Now hosting over 9,000,000 domains!” If a meager 1% of those use non-shared SSL, that’s 90,000 requests a year to obtain or renew a certificate and which require submission of ID and password. I have no idea what other types of request might require the customer to provide their ID and password and I hope I’m guessing low as to how many sites use SSL. Either way, that’s a lot of credentials floating about in email.
I could do the same thing in IBM MQ, with Enterprise-class security and encryption, for a few thousand dollars. Has Host Gator never heard of MQ? Of secure databases? Of OWASP or basic account management security?
More importantly, have Host Gator not heard of Heartland Payment Systems, who were reported to be the first to suffer a breach of data in transit due to hackers having placed a sniffer in their network? THIS just begs for that scenario to happen again. Malicious hackers with a sniffer inside of Host Gator could watch for packets with the strings “Your username:” and “Your password: ” and record the values, along with the associated domain names. Many of those passwords will have been reused at banking sites. Oh, joy.
Though the hackers could use those credentials to go after the payment and personal data Host Gator holds, the more attractive target would be to open up the control panels for the hosted web sites and modify the software modules used to provide the site’s services. It would be easy to insert code that would capture user login credentials, intercept shopping cart checkouts, or otherwise pwn the web site. With 9,000,000 web sites hosted, some are bound to be attractive targets for this kind of takeover. If done carefully so that Host Gator were not aware they were the source of the leaked credentials, it would be difficult to trace back to the root cause.
Could this be happening already? How would anyone know? One wonders how many sites hosted by Host Gator have been mysteriously taken over.
The sad part of all this is that we end users cannot tell from the outside that this is going on, except when it leaks out by accident, such as the bounced email I received. It’s entirely possible that the state of security for shared hosting is universally dismal and we don’t know it. However, what I do know is how bad it is at Host Gator, which is why I cancelled my account before I ever received that SSL certificate and won’t be hosting there any time soon.