UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process.
A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, which he claimed had first surfaced in March.
The issue relates to accessing MySql databases using phpMyAdmin. The access should be using SSL but had been a problem for weeks, which meant that all database access over this route was unencrypted, as our tipster (who asked to remain anonymous) explained.
The issue concerns access to MySql DBs over the web. If I want to look at the contents of a DB directly, using phpMyAdmin, I am directed to a particular server. I need to enter the username and password, but then I can see the phpMyAdmin page and have access to all the DB contents and structure. It is this page that is unencrypted. (Bizarrely, I have another site hosted on an older package that IS encrypted when you look at phpMyAdmin.) So traffic to or from this DB page could be intercepted.
In response to queries from El Reg, 123-reg responded promptly to resolve the issue. The hosting firm said that only an (unspecified) "small number" of its hosting customers were ever affected.
On Friday, our security team confirmed and fixed an encryption issue that a small number of 123 Reg hosting package customers may have encountered when accessing MySql databases through their login page. We take the security of our customers’ accounts very seriously and would like to reassure our customers that there is no indication of any data or personal information loss or interception as a result of this issue. Thank you to our customer—and the broader community—for “white hat” reporting these types of potential vulnerabilities, as they help make our systems stronger.
We double-checked with our tipster, who confirmed the issue had been resolved. "I've just checked the access to phpMyAdmin on the affected hosting package," he said. "The good news is, the connection is now secure. Unfortunately, they've broken the link from their dashboard, so I had to manually enter the credentials again, but that is progress." ®