OT: Problem with hosting company ignoring a privacy violation/hole - what do you do?
[EDIT: Title edited, Hyperbole removed]
Sorry this post is off-topic - I considered posting it to a security forum but it's really more of an ethics question and I'm hoping that somebody might have some input or that it might stimulate a discussion. Here's the situation:
A client of mine is using a particular web hosting provider who for the time being we'll just call "The Company." Over the course of doing work for this client we needed to retrieve a lost password. Most web sites offer a 'lost password' feature which either resets of emails you your password. The Company's password retrieval mechanism asks you to input the domain name in question and it will email your password to the email address on file. The problem is that after you click submit, the system spits back the following confirmation message:
The account settings e-mail for your username has been sent to me@example.com.
...except it had my real email address! It doesn't take a security expert to see the problem here. Any enterprising young hacker could compile a collection of domain names hosted at The Company (there are many ways to do this), write a short script, and instantly have access to the email addresses associated with those domain name accounts at The Company! Personal information is being exposed to users who have not authenticated themselves. This is a huge problem!
On Dec 19 I emailed The Company using the email address listed on the privacy policy as a contact for matters regarding customer privacy. I also asked them to cancel my account. When I hadn't heard back from them in 24 hours, I emailed them again:
(Dec 20) It's been over 24 hours and I have not heard from you regarding this issue. As it is a critical issue for likely thousands of people, I feel the need to press you to fix it immediately. I feel compelled to bring this into the public eye via a blog post, but I would hate to make it public before you've fixed the issue. It would be better for the headline to read 'The Company fixes privacy glitch' than 'The Company exposes thousands of email addresses to the public'. However, I believe there is no other option if I perceive inaction on your part. Please respond promptly with the status of this issue and what you are doing to resolve it.
Finally on the 24th I received an email back from The Company:
Thank you for contacting us.
You have two accounts and both are active. This is the reason we have sent the notice. We have not sent the notice to public. If you don’t want to keep the account active then you can cancel the account.
Is there a specific reason why you are canceling your account? Perhaps, if I knew why you were canceling, we could work something out so that The Company could better suit your needs.
In order to discontinue your services we will need for you to contact our Billing Department at *snip* or *snip*. Our Billing Department is available Monday - Friday 10:00 AM - 7:00 PM Eastern Time.
Thank You.
Sincerely,
Spencer *snip*
Customer Support
It was apparent to me that nobody had really read the email I sent, or that perhaps I hadn't been clear enough. So I immediately sent it back to Spencer, highlighted in yellow.
On Dec 25, I received a Survey Monkey request from The Company asking me to rate the quality of the customer support. You can only imagine the feedback I left. I also received a reply from The Company regarding the issue:
Thank you for your patience.
We apologize for any inconvenience this may have caused you. We have not sent the notice or e-mail to the public. However, I was not able to duplicate your issue. In order to investigate further, please get back to us with more information, which you experience the issue regarding security.
Please reply to this e-mail with the requested information, so that we can assist you further.
Sincerely,
Stephen *snip*
Customer Support
It was clear to me that The Company did not understand the problem they were facing. So, I immediately provided them step-by-step instructions to replicate the issue:
(Dec 25)
Stephen-To replicate the issue:
1) Click on 'Forgot Password?'
2) Input a domain name hosted by The Company.
3) Profit. That's it. You now have access to the email address associated with that domain name.
I URGE YOU. Please forward this to somebody at your company who deals with COMPUTER SECURITY.
By January 2 I had not received a reply. So, I sent the following:
assume from the lack of response on your part that you believe this to be a non-issue.
I don't know what else to do other than to make this information public in the hopes that some pressure from your customers will hasten a solution.
And on the 3rd received this response:
Thank you for your reply.
We apologize for any inconvenience this has caused you. We do send our customers Account Login Information only to their Administrative E-mail Address which we have on our file. If you feel that someone is using your Account Login Information, I suggest you to change your account password. We do not give any personal information to anyone without the authentication.
If you have any further questions, please don't hesitate to contact us. We are available 24x7.
Sincerely,
Harry *snip*
Customer Support
Please forgive my response:
HONESTLY.
You guys are RETARDED.
I am not saying that you SEND account login information via email. I'm saying that you are REVEALING PEOPLE'S EMAIL ADDRESSES VIA THE WEB BROWSER.
I have NO FAITH in the people you have working there. NO FAITH in you.
The Company is gonna fry.
And today I received the most recent response:
Thank you for getting back to us.
We apologize for any inconvenience this has caused you. As we are sending only the e-mail address not the password of the mailbox. The only person who knows the password for this mailbox is the user of the e-mail address. So, it is impossible to reveal the e-mail address to the public.
If you have any further questions, please don't hesitate to contact us. We are available 24x7.
Sincerely,
Sally *snip*
Customer Support
To which I responded:
You are NOT LISTENING to what I am saying.
If I type a DOMAIN NAME (not a password, not an email address) into the 'Forgot Password' form, it reveals the EMAIL ADDRESS associated with that domain name. Thus, if I have a LIST OF DOMAIN NAMES that The Company hosts, I can retrieve a LIST OF EMAIL ADDRESSES associated with those domain names.
The only thing I need to do to gather a LIST OF DOMAIN NAMES that The Company hosts is to do some DNS record hunting.
Does it seem like we're going around in circles here? I have no idea what to do. I obviously don't want to make this information public because it could expose a lot of people's data. But, is there another choice? Discussion welcome.
Ical feed
Well....
This is really a privacy thing more than a security thing. And, most domains list email contacts in WHOIS anyway, which is public.
It's hardly a best-practice, but I dunno if it's really a gaping hole either.
Clearly, they have some issues with tier-1 support though. It's par for the course, but still annoying.
http://www.chapterthreellc.com | http://www.outlandishjosh.com
The hosting company you are
The hosting company you are dealing with obviously does not understand the issue at hand. I would suggest offering a solution to fix their issue. They can easily fix this issue by asking for both the domain name AND the administrative email address they have on file for the domain name on the "Forgot Password" form. This way email addresses aren't exposed by simply typing someones domain name that is hosted by the company.
From the responses you're getting, it seems that only customer support has been dealing with the issue. Most of the time they're ignorant when it comes to anything other than resetting a password, or helping a customer login to their account, or fixing a billing issue (normally they're not that tech savy, or they've recently entered the field and are learning). They don't understand the problem. Do they have a security email address that you can send your message to?
Okay "gaping" was
Okay "gaping" was overstating it - my bad. But it's not the WHOIS database info, it's the customer's email associated with the account.
I had a hard time finding any email at all to send my complaint to. I emailed it to customer support, but I also emailed it to privacy@thecompany.com (listed on their privacy policy as the contact email) and have not heard anything back from them there.
The Company is a large player which claims to host over half-a-million web sites.
HI, I do not think that this
HI,
I do not think that this has anything to do with the topic of this group. It would be better if you posted this into a hacker forum. You would serve an interesting thing to the appropriate audience.
But at this place - its simply time consuming! I read this post because a) it could concern me, abd b) because i thought i could help. Well, im a bit dissappointed.
Sorry to disappoint
Ben, sorry to disappoint. I certainly didn't mean to waste anybody's time. I considered posting it at Slashdot but I didn't quite know where. If you can suggest a proper venue I would happily move it there. I posted it here because I respect the opinions of many of the Drupal/Dojo communities and thought it might stimulate some interesting discussion.
What is the name of the company?
Please send me a private message. Thanks!
call... use the, ya know, -phone-
I can't stress enough that you need to use a phone when you need things dealt with and email has clearly not worked. I agree, I hate it just as much (probably more than) the next guy -- I don't even like ordering pizza. However, there are people (even HOSTING COMPANIES!) who can't figure out a good workflow using email. If you talk to someone directly, you have the opportunity to explain the situation in about 5 minutes, with the -same person- asking questions when they don't understand (instead of an email from Harry, and email from Marge, and another email from Horton). If they don't understand, they may pass you up the chain to someone who does understand. That's my $0.02.
.cw.
No, No. No. Phones aren't better than email.
If I had to resort to picking up the phone to explain a problem this simple to a large internet hosting company, I'd cancel all my accounts with them, black-roll them on my own blog, and tell everyone I knew that they can't be trusted with the interwebs cause they can't actually communicate over the interwebs.
Senpai (my d.o account)
I agree, phones are not
I agree, phones are not better than email, especially when you have a complaint. One of the best ways to document your communication is by having a paper trail (or email trail).
Thanks cw. Using the phone
Thanks cw. Using the phone was my first inclination, but after calling The Company and waiting for 30 minutes before on hold before hanging up, I decided that wasn't the best option. I'll try again (on Skype so I don't have to hold the phone to my head).
No email, no phone...
A quick update... Tried the phone to no avail. After following the menu-tree, I'm told: "All lines are busy at this time. Please try again later. Goodbye." Still having the same results with email inquires. I don't believe I have any choice but to go public with this information. The hosting company in question is iPower which claims to host 700,000 web sites. If you use them, find another hosting provider before this company COMPLETELY IMPLODES.
I've turned some of my anger into a complaints web site at iPowerComplaints.com.
Thanks to those who provided some input, my apologies if you don't believe this was the proper venue to do so.