123-reg resolves secure database access snafu

Catches up with https everywhere memo

By John Leyden


UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process.

A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, which he claimed had first surfaced in March.

The issue relates to accessing MySql databases using phpMyAdmin. The access should be using SSL but had been a problem for weeks, which meant that all database access over this route was unencrypted, as our tipster (who asked to remain anonymous) explained.

The issue concerns access to MySql DBs over the web. If I want to look at the contents of a DB directly, using phpMyAdmin, I am directed to a particular server. I need to enter the username and password, but then I can see the phpMyAdmin page and have access to all the DB contents and structure. It is this page that is unencrypted. (Bizarrely, I have another site hosted on an older package that IS encrypted when you look at phpMyAdmin.) So traffic to or from this DB page could be intercepted.

In response to queries from El Reg, 123-reg responded promptly to resolve the issue. The hosting firm said that only an (unspecified) "small number" of its hosting customers were ever affected.

On Friday, our security team confirmed and fixed an encryption issue that a small number of 123 Reg hosting package customers may have encountered when accessing MySql databases through their login page. We take the security of our customers’ accounts very seriously and would like to reassure our customers that there is no indication of any data or personal information loss or interception as a result of this issue. Thank you to our customer—and the broader community—for “white hat” reporting these types of potential vulnerabilities, as they help make our systems stronger.

We double-checked with our tipster, who confirmed the issue had been resolved. "I've just checked the access to phpMyAdmin on the affected hosting package," he said. "The good news is, the connection is now secure. Unfortunately, they've broken the link from their dashboard, so I had to manually enter the credentials again, but that is progress." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

When should I run backup, robot overlord? Autonomous Hadoop and NoSQL backup is now a thing

Imanis Data bets data management farm on backupbot

Dell forgot to renew PC data recovery domain, so a squatter bought it

Days later it served malware, but the only visible damage was to Dell's reputation

Web domain owners paid EasyDNS to cloak their contact info from sight. It was blabbed via public Whois anyway

Registrar apologies as punters wait for spam tsunami domain hacked, plastered with trolling, filth and anti-transgender vandalism

Web admin blames public Whois and lack of 2FA

Azure storage adds static HTML website hosting

Seven years after AWS S3, but just in time for serverless

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages

Email addresses, hashed passwords, and other details from mid-2000s era swiped

Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdon

Plus anonymous email and all personal info to be redacted

Enterprise backup bods treat kit for ransomware code lurk

Hoping to purge it of backup attack loops

Knock, knock. Whois there? Get ready for anonymized email addresses after domain privacy shake-up

Looming GDPR Euro law sends ICANN back to drawing board

Legal tech startup tries to haul 123-Reg to court over 24-hour backup claims

You know those Ts&Cs you used to offer on your website? Yes that one.