Massive Afrihost security flaw exposed

biometrics

biometrics

Honorary Master
Joined
Aug 7, 2003
Messages
71,856
Reaction score
2,239
Johannesburg - Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.

Software and security expert Taylor Gibbrecently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.

https://www.fin24.com/Companies/ICT/massive-afrihost-security-flaw-exposed-20180326

(Has this been posted yet, on my phone so hard to check?)
 
why not just assign the login to the phone number or a unique phone line reference, then you cant do anything with the login even if you have it.
 
access said:
why not just assign the login to the phone number or a unique phone line reference, then you cant do anything with the login even if you have it.
Click to expand...
Capped accounts allow concurrent logins from multiple sites.
 
biometrics said:
Sure, agreed. But not relevant to the article.
Click to expand...

Yes it is. If a password dump could be taken, you've got good seeds for starting a brute force attack on someone's other accounts.
 
Sinbad said:
Yes it is. If a password dump could be taken, you've got good seeds for starting a brute force attack on someone's other accounts.
Click to expand...
Oh ok I see what you're saying.

The problem is that the passwords are not encrypted in a one way hash and can be decrypted by staff. Huge fail.
 
biometrics said:
Capped accounts allow concurrent logins from multiple sites.
Click to expand...

yeah. so why not assign the logins to those specific line references. can do it in a control panel or some such.

one for me, one for ma, one for pa, one for oom piet. the logins assigned to their line references and can only be used there.

its not difficult.


then on top of this, you can have a roaming account that requires 2fa ...
 
Last edited:
Hey Everyone

We're aware of the article and I know that this was something we have been working on prior to Taylor Gibb's posts on Facebook.

I can't go into a in-depth discussion on a public forum, but I can say that we do have measures in place that would prevent some of the issues mentioned on this thread.

Clients can see all the numbers that connect to their DSL products. There was a feature that could flag and block unknown numbers (I haven't checked in a while). However, clients can contact us at any time and we will block any number that shouldn't be accessing their accounts from our system and investigate further.

We're actively looking into other preventative measures we can put in place.

We also don't store passwords in plain text. These are always encrypted.
 
Last edited:
AfriMan said:
Hey Everyone

We're aware of the article and I know that this was something we have been working on prior to Taylor Gibb's posts on Facebook.

I can't go into a in-depth discussion on a public forum, but I can say that we do have measures in place that would prevent some of the issues mentioned on this thread.

We're actively looking into other preventative measures we can put in place.

We also don't store passwords in plain text. These are always encrypted.
Click to expand...

Why not tell us how you stole users mobile data and took 10 days to fix it.
 
biometrics said:
Johannesburg - Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.

Software and security expert Taylor Gibbrecently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.

https://www.fin24.com/Companies/ICT/massive-afrihost-security-flaw-exposed-20180326

(Has this been posted yet, on my phone so hard to check?)
Click to expand...

I didn't see it either at the time, sent it to RPM to have an article drawn up.
I'm not surprised at all. Their security needs some attention.
 
AfriMan said:
Hey Everyone

We're aware of the article and I know that this was something we have been working on prior to Taylor Gibb's posts on Facebook.

I can't go into a in-depth discussion on a public forum, but I can say that we do have measures in place that would prevent some of the issues mentioned on this thread.

Clients can see all the numbers that connect to their DSL products. There was a feature that could flag and block unknown numbers (I haven't checked in a while). However, clients can contact us at any time and we will block any number that shouldn't be accessing their accounts from our system and investigate further.

We're actively looking into other preventative measures we can put in place.

We also don't store passwords in plain text. These are always encrypted.
Click to expand...
Understandable

Vrotappel said:
Why not tell us how you stole users mobile data and took 10 days to fix it.
Click to expand...

AfriHost has gone from a small provider to many more customers, more time is needed to fix the problem

froot said:
I didn't see it either at the time, sent it to RPM to have an article drawn up.
I'm not surprised at all. Their security needs some attention.
Click to expand...

It might not be done, but it would not be the first time for a ISP


Security breaches are common, not just Afrihost but all the others.





Now on seriousness. @AfriMan . The Best ISP 6 years ago used to be AfriHost, what happened?
Now you can be compared to CrapCom.
Get your things straight
 
AfriMan said:
Hey Everyone

We're aware of the article and I know that this was something we have been working on prior to Taylor Gibb's posts on Facebook.

I can't go into a in-depth discussion on a public forum, but I can say that we do have measures in place that would prevent some of the issues mentioned on this thread.

Clients can see all the numbers that connect to their DSL products. There was a feature that could flag and block unknown numbers (I haven't checked in a while). However, clients can contact us at any time and we will block any number that shouldn't be accessing their accounts from our system and investigate further.

We're actively looking into other preventative measures we can put in place.

We also don't store passwords in plain text. These are always encrypted.
Click to expand...

My one and only question is, can your support staff decrypt the password for a clients adsl account?

If the answer to that is a yes then your security is up to shyte and Taylor gibb is right to expose this bollocks far and wide
 
ToxicBunny said:
My one and only question is, can your support staff decrypt the password for a clients adsl account?

If the answer to that is a yes then your security is up to shyte and Taylor gibb is right to expose this bollocks far and wide
Click to expand...

They can't.

They could in the past, and we always tried to balance the needs of our clients with security. Many clients are not that tech savvy, so we made it possible, subject to verification checks against their bona fides.

We've since removed that and our agents cannot view or change passwords (as far as I am aware).
 
AfriMan said:
We also don't store passwords in plain text. These are always encrypted.
Click to expand...

The way I read the article is that this is exactly the problem: you can decrypt the passwords. That's not best security practice.
 
AfriMan said:
We've since removed that and our agents cannot view or change passwords (as far as I am aware).
Click to expand...

Sounds like you made a menu change in your software, not fixed the underlying problem. You should be using a salt and one way hash algorithm, I'm not a security expert but I know at least that.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X