123-reg resolves secure database access snafu

Catches up with https everywhere memo

By John Leyden

Posted in Security, 28th June 2017 13:07 GMT

UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process.

A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, which he claimed had first surfaced in March.

The issue relates to accessing MySql databases using phpMyAdmin. The access should be using SSL but had been a problem for weeks, which meant that all database access over this route was unencrypted, as our tipster (who asked to remain anonymous) explained.

The issue concerns access to MySql DBs over the web. If I want to look at the contents of a DB directly, using phpMyAdmin, I am directed to a particular server. I need to enter the username and password, but then I can see the phpMyAdmin page and have access to all the DB contents and structure. It is this page that is unencrypted. (Bizarrely, I have another site hosted on an older package that IS encrypted when you look at phpMyAdmin.) So traffic to or from this DB page could be intercepted.

In response to queries from El Reg, 123-reg responded promptly to resolve the issue. The hosting firm said that only an (unspecified) "small number" of its hosting customers were ever affected.

On Friday, our security team confirmed and fixed an encryption issue that a small number of 123 Reg hosting package customers may have encountered when accessing MySql databases through their login page. We take the security of our customers’ accounts very seriously and would like to reassure our customers that there is no indication of any data or personal information loss or interception as a result of this issue. Thank you to our customer—and the broader community—for “white hat” reporting these types of potential vulnerabilities, as they help make our systems stronger.

We double-checked with our tipster, who confirmed the issue had been resolved. "I've just checked the access to phpMyAdmin on the affected hosting package," he said. "The good news is, the connection is now secure. Unfortunately, they've broken the link from their dashboard, so I had to manually enter the credentials again, but that is progress." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed

Webstresser.org taken down by Europol plod and chums

Enterprise backup bods treat kit for ransomware code lurk

Hoping to purge it of backup attack loops

Knock, knock. Whois there? Get ready for anonymized email addresses after domain privacy shake-up

Looming GDPR Euro law sends ICANN back to drawing board

Dell forgot to renew PC data recovery domain, so a squatter bought it

Days later it served malware, but the only visible damage was to Dell's reputation

Dell soups up low-end Data Domain deduper

Refreshes SMB-sized deduping backup-to-disk box

VMware ponders baking backup into VSAN

And disaster recovery too, by painting a target on AWS

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

Unitrends squares up to Veeam in the VMware backup arena for SMBs

Aims for simpler, cheaper backup with fewer clicks

World's biggest DDoS attack record broken after just five days

Memcached attacks are going to be this year's thing

Cavalry riding to the rescue of DDoS-deluged memcached users

Attacks tapering, as experts argue over 'kill switch'