Thursday, March 24, 2011

Crazy Verification and a pile of 'root' passwords

Analysis

Nowadays we guys have our own web sites and remote VPSes. We all have once worked or have been working with hosting vendors. One of the worst mistakes see very often is their support personnel on web based support systems. They asked customers to provide their root password, cpanel/plesk passwords  and many. They say the reason they ask user credential is to verify the owners of domains/IPs customer claims 'ownership'. We know all these are like saving passwords in a text editor in plain text way. Avoid this kind of vendors with stupid support staffs or stay away from revealing your passwords in this plain stupid way.

Risk

It's been known that keeping sensitive data in plain text is an ill mistake which poses a direct 0wnage if attackers can find where they reside. Attackers who compromise one of support personnel accounts or entire web-based support application would gain access to these pile of root passwords, too.

Solution


Tie the support ticket authentication to existing cPanel/Plesk authentication system so support staffs can ensure that those who request help are those who own the owners of the claimed domains/IPs. Use a dedicate secure server to store such clients' account credentials for staffs and clients to go in and edit for support matters.




No comments:

Post a Comment