Afrihost's insecure client portal

JerryMungo

JerryMungo

Honorary Master
Joined
Jul 18, 2008
Messages
37,738
Reaction score
6,419
So I got a bandwidth notice to tell me that I'm at 90% of my available limit this month. I'm in an office sharing with others, so I forwarded the email to everyone with a note saying 'please go easy until the end of the month'.
What I didn't know is that there's a link within the email that takes you straight to my client zone profile without a password... now the entire office can access the client zone and see all the details including ADSL password.

Not to mention payment method, ID number, etc.

Really really poor show AH!
 
Last edited by a moderator:
The Notification Emails are sent using our Secure Mail System, ensuring that your details remain safe and confidential at all points until the delivery is completed.

The direct link to the Clientzone in the contained in the Email is intended to add convenience, if you would wish to top-up your account.

That mail is intended only for personal use, and is not meant to be disseminated in an office environment. If you are concerned about your Clientzone access, you are able to reset the Clientzone password, under the My Details area, this will then render the link in the Email non-functional.
 
AfriGenie said:
The Notification Emails are sent using our Secure Mail System, ensuring that your details remain safe and confidential at all points until the delivery is completed.

The direct link to the Clientzone in the contained in the Email is intended to add convenience, if you would wish to top-up your account.

That mail is intended only for personal use, and is not meant to be disseminated in an office environment. If you are concerned about your Clientzone access, you are able to reset the Clientzone password, under the My Details area, this will then render the link in the Email non-functional.
Click to expand...

Why should I assume anyone would email a link that gives direct access to secure area on their website without requesting the password - who does that?

On the second note - changing the password helps nothing, I've just changed the password and the link still gets me in to my account without requiring a password! What makes you think changing the password helps?

Not personal, but ooi - this is serious guys. How do I deactivate that URL? Some of my staff could have malware on their laptops and that URL could be doing the rounds by now.
 
Last edited by a moderator:
Arietans said:
Why should I assume anyone would email a link that gives direct access to secure area on their website without requesting the password - who does that?

On the second note - changing the password helps nothing, I've just changed the password and the link still gets me in to my account without requiring a password! What makes you think changing the password helps?

Not personal, but ooi - this is serious guys. How do I deactivate that URL?
Click to expand...

He has a very good point, a direct link to a secure area should always ask for a password unless there is a pre-auth ie:cookies.
 
Arietans said:
Why should I assume anyone would email a link that gives direct access to secure area on their website without requesting the password - who does that?

On the second note - changing the password helps nothing, I've just changed the password and the link still gets me in to my account without requiring a password! What makes you think changing the password helps?

Not personal, but ooi - this is serious guys. How do I deactivate that URL? Some of my staff could have malware on their laptops and that URL could be doing the rounds by now.
Click to expand...

Can you please send me a PM with the username of the account as well as the link itself. I will be able to invalidate it from my side.
 
Kosmik said:
He has a very good point, a direct link to a secure area should always ask for a password unless there is a pre-auth ie:cookies.
Click to expand...

+1000

That is a extremely bad security practice. The link will be kept in the users browsers history. If the user is surfing via a proxy then would be saved in the proxy logs. Not cool!
 
And the link in that mail will no longer work on anyone's computer, even if it is stored in the browser history.
 
Can you do anything once you're in without it notifying the owner or asking for permission?
 
Fudzy said:
Can you do anything once you're in without it notifying the owner or asking for permission?
Click to expand...

Yep, you can change your access details including email address - no confirmation email is sent or required to effect that change. From there you can do what you like.
 
Arietans said:
Yep, you can change your access details including email address - no confirmation email is sent or required to effect that change. From there you can do what you like.
Click to expand...

Well that's not cricket. There should be two-step authentication for changes of e-mail address.
 
Fudzy said:
Well that's not cricket. There should be two-step authentication for changes of e-mail address.
Click to expand...

They have kindly manually deactivated my link, but unless someone tells me otherwise, I don't see an effort on Afrihost's part to resolve this...
AfriGenie, Please keep us posted. Probably better than having RPM run a news article ;)
 
Wow, this is extremely bad security from Afrihost. I am extremely shocked! Anyone with even the most basic of security knowledge knows there is no such thing as "secure" email....that is why solutions such as PGP exists!

This makes me seriously consider whether people should be trusting them at all, especially when they offer services such as web hosting and VM hosting.
 
dovij said:
Wow, this is extremely bad security from Afrihost. I am extremely shocked! Anyone with even the most basic of security knowledge knows there is no such thing as "secure" email....that is why solutions such as PGP exists!

This makes me seriously consider whether people should be trusting them at all, especially when they offer services such as web hosting and VM hosting.
Click to expand...

Dramaqueen post of note.
They've made it convenient to log in, and I know most of my less savvy clients really appreciate it, instead of having to rummage around for their login details.

Keep your **** secure and there's no problem.
 
Conack said:
Dramaqueen post of note.
They've made it convenient to log in, and I know most of my less savvy clients really appreciate it, instead of having to rummage around for their login details.

Keep your **** secure and there's no problem.
Click to expand...

Much easier to blame Afrihost.
 
Conack said:
Dramaqueen post of note.
They've made it convenient to log in, and I know most of my less savvy clients really appreciate it, instead of having to rummage around for their login details.

Keep your **** secure and there's no problem.
Click to expand...

IMO you should really be educating clients about security rather than encouraging laziness. My 5c.
 
Conack said:
Dramaqueen post of note.
They've made it convenient to log in, and I know most of my less savvy clients really appreciate it, instead of having to rummage around for their login details.

Keep your **** secure and there's no problem.
Click to expand...

Crowley said:
Much easier to blame Afrihost.
Click to expand...

Actually it's pretty much industry standard NOT to do this. How about not proportioning blame and fixing a hole?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X