Afrihost Email Links Security Flaw?

B

blackstarzes

Member
Joined
Jan 2, 2008
Messages
25
Reaction score
0
Ever received one of those deep-links from Afrihost? Well it turns out they automatically log you in with full power over the account!

Do yourself a favour:
1. Go through your Afrihost emails for links that contain "https://clientzone.afrihost.com/tiny/" (the full links look like "https://clientzone.afrihost.com/tiny/ABCDE12345" or similar)
2. Copy that link and paste it into a browser in incognito mode (or clear all cookies/sessions/cache etc)
3. Voila! Logged into Afrihost with access to do absolutely ANYTHING - cancelled a domain without even a prompt for credentials

WTF Afrihost? How can you not ask for credentials at all?! These are security 101 principles!
 
I must admit I did notice this with my free data gift thing today, was a bit surprised but thought it was Chrome logging me in.
 
Hi guys

A similar topic has been discussed before.
We're extremely confident in our security practices, and to date have not had a security breach on our systems. Ever.

We've also sent out previous mystery bonuses in the same manner.
Once the data has been claimed and allocated to the account, you cannot do so again - so if you're the only one with the mail there shouldn't be an issue.

Ultimately, our systems are setup for security, and our teams do a fantastic job of keeping everyones info safe and secure, but certain features require a certain level of convenience.
 
blackstarzes said:
Has this been discussed before? If so, what was Afrihost's final response to the thread?
Click to expand...

I can't remember, was some time ago... I can't find the thread.
But was basically the same thing.
Unsecured email links in their bonus data award emails.
 
AfriGuy said:
Hi guys

A similar topic has been discussed before.
We're extremely confident in our security practices, and to date have not had a security breach on our systems. Ever.

We've also sent out previous mystery bonuses in the same manner.
Once the data has been claimed and allocated to the account, you cannot do so again - so if you're the only one with the mail there shouldn't be an issue.

Ultimately, our systems are setup for security, and our teams do a fantastic job of keeping everyones info safe and secure, but certain features require a certain level of convenience.
Click to expand...

Hi Afriguy...

The problem is I have clicked 6 times on the link in the " Thank you (and a Gift) " email today and it's still working. I dont know if I get another 118GB every time... but I can definitely navigate around my dashboard from there.
 
stricken said:
Hi Afriguy...

The problem is I have clicked 6 times on the link in the " Thank you (and a Gift) " email today and it's still working. I dont know if I get another 118GB every time... but I can definitely navigate around my dashboard from there.
Click to expand...

The data is only legible to be redeemed once.
 
AfriGuy said:
The data is only legible to be redeemed once.
Click to expand...

Thanks! Can I bookmark that link for instant access into my dashboard for future use as I am constantly forgetting my username and password?
 
AfriGuy said:
Hi guys

A similar topic has been discussed before.
We're extremely confident in our security practices, and to date have not had a security breach on our systems. Ever.

We've also sent out previous mystery bonuses in the same manner.
Once the data has been claimed and allocated to the account, you cannot do so again - so if you're the only one with the mail there shouldn't be an issue.

Ultimately, our systems are setup for security, and our teams do a fantastic job of keeping everyones info safe and secure, but certain features require a certain level of convenience.
Click to expand...

Hi AfriGuy.

We will have to agree to disagree here. A lot of my information is available from ClientZone, and I'd rather not have this particular loop-hole.

How do I disable this feature on my account?
 
stricken said:
Thanks! Can I bookmark that link for instant access into my dashboard for future use as I am constantly forgetting my username and password?
Click to expand...

I don't think so, I think that link has been specifically generated for the mystery bonus.
 
blackstarzes said:
Hi AfriGuy.

We will have to agree to disagree here. A lot of my information is available from ClientZone, and I'd rather not have this particular loop-hole.

How do I disable this feature on my account?
Click to expand...

I guess you can disable mails for promotions/ any contact via ClientZone - but that means you won't know if/ when there's a promo happening.
As long as you don't FW the mail to sketchy people, you're fine.
 
Something amiss here Afri*
Clicked on that link the email again, the little counter started and is still running. It's over 1500% now
 
Newbie23 said:
Something amiss here Afri*
Clicked on that link the email again, the little counter started and is still running. It's over 1500% now
Click to expand...

Woops!
Let's check this out - could you PM me your DSL username please?
 
AfriGuy said:
I guess you can disable mails for promotions/ any contact via ClientZone - but that means you won't know if/ when there's a promo happening.
As long as you don't FW the mail to sketchy people, you're fine.
Click to expand...

All of those are already unchecked. This was an email I received for domain renewal.

AfriGuy, I'd like to ask you if sending passwords in plain text via email is safe (let alone best practices)? Because now I have a link with which I can go and change my Afrihost password (without a prompt for my old password). Not only that, I don't even get a password change notification! Effectively locking me out of my own account, without my knowledge.

Right, so how am I supposed to tell my mother that Afrihost is safe and secure etc? I can't expect her to check all the links in the emails that she forwards? Especially as she forwards all of her "amazing deals" to her entire address book!
 
AfriGuy said:
Woops!
Let's check this out - could you PM me your DSL username please?
Click to expand...

I think it's a generic problem. Probably an oversight from dev.
What happens when anyone else clicks on the link the email again?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X