123-reg resolves secure database access snafu

Catches up with https everywhere memo

By John Leyden


UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process.

A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, which he claimed had first surfaced in March.

The issue relates to accessing MySql databases using phpMyAdmin. The access should be using SSL but had been a problem for weeks, which meant that all database access over this route was unencrypted, as our tipster (who asked to remain anonymous) explained.

The issue concerns access to MySql DBs over the web. If I want to look at the contents of a DB directly, using phpMyAdmin, I am directed to a particular server. I need to enter the username and password, but then I can see the phpMyAdmin page and have access to all the DB contents and structure. It is this page that is unencrypted. (Bizarrely, I have another site hosted on an older package that IS encrypted when you look at phpMyAdmin.) So traffic to or from this DB page could be intercepted.

In response to queries from El Reg, 123-reg responded promptly to resolve the issue. The hosting firm said that only an (unspecified) "small number" of its hosting customers were ever affected.

On Friday, our security team confirmed and fixed an encryption issue that a small number of 123 Reg hosting package customers may have encountered when accessing MySql databases through their login page. We take the security of our customers’ accounts very seriously and would like to reassure our customers that there is no indication of any data or personal information loss or interception as a result of this issue. Thank you to our customer—and the broader community—for “white hat” reporting these types of potential vulnerabilities, as they help make our systems stronger.

We double-checked with our tipster, who confirmed the issue had been resolved. "I've just checked the access to phpMyAdmin on the affected hosting package," he said. "The good news is, the connection is now secure. Unfortunately, they've broken the link from their dashboard, so I had to manually enter the credentials again, but that is progress." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site

Azure storage adds static HTML website hosting

Seven years after AWS S3, but just in time for serverless

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed taken down by Europol plod and chums

Knock, knock. Whois there? Get ready for anonymized email addresses after domain privacy shake-up

Looming GDPR Euro law sends ICANN back to drawing board

DreamHost smashed in DDoS attack: Who's to blame? Take a guess...

Is it the alt-right or anti-fascists? Most likely the latter

Denial of denial-of-service served: There was NO DDoS on FCC net neutrality comments

Probe confirms: No attack, just an incredibly unpopular policy brought down feedback site

TalkTalk, UK2 sitting in a tree, not T-A-L-K-I-N-G: Hosting biz cut off after ISP broadband upgrade

Updated 'Not an issue with our network', say techies

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

World's biggest DDoS attack record broken after just five days

Memcached attacks are going to be this year's thing

Wickr gets slicker with fresh network tricker: Privacy-protecting domain fronting alternative emerges

Secure messaging maker courts biz comms gigs with Psiphon's help