The first security issue
I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the textfield. I noticed an error, and eventually crafted this url:
https://www.hover.com/domains/results?q=%27%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3EThere's nothing magical in that URL, however it demonstrated a real vulnerability in their code:
I reported this issue to them, and had an update within 3 days. They had fixed it, and that URL no longer is vulnerable.
The second security issue
In January, I was discussing Cross-Site Scripting attacks with a coworker, and was talking about the finding I had with Hover and how quickly they responded. Upon further investigation, I found that they didn't really fix it, they just put a band-aid on it. I found the following URL was still vulnerable, but it was a little harder to exploit (onMouseOver):
https://www.hover.com/domains/results?q=hi.com%27%20style%3d%27height:10000px%27%20onmouseover%3d%27alert%28%22xss%22%29
The billing issue
I received an email from Hover about a domain name of mine expiring soon. I went into my account, and saw that the credit card was expired, so I went to update it. Unfortunately, I got this error instead:
Declined by Fraud Service
Now, I figured that it was some sort of error, and tried filling it out a couple more times, verifying my card number was correct. After-all, I was only updating the expiration date, nothing else. Unfortunately, all this resulted in were several temporary one dollar charges on my credit card.
Again, I contacted Hover and was disappointed yet again. I stated that I was trying to update my credit card details, and instead they renewed my domain for another year, and said, "it failed when you placed the order, but I was able to renew it on my end". I was a bit upset because I hadn't yet decided if I was going to renew through them or not yet, due to the previous security issues. I replied back that it still wasn't helping me for my other domains that will need renewed at some point, and was given these instructions to help troubleshoot:
- Use only the first and last name, no middle initial.
- Change the phone number to numbers only, no hyphens.
The first one was a bit odd, since most credit card processors want your name exactly as it shows on the card. I complied, but it did not help. The second issue I thought was absurd because if their system didn't allow hyphens, why didn't they prevent the user from entering them? This is exactly what javascript validation is for. (Note that they should also validate it on the server-side as well)
Their next steps were to have me call, and give them my credit card number over the phone, and have a billing statement ready to verify every bit of information, as if I've never used a credit card on a website before. It was a bit insulting.
The 0-day security issue
I had recently read an article on inserting javascript into DNS to be used for exploitation. I was tinkering with this idea on my own domain names. Unfortunately, I ended up trying to diagnose why none of the DNS records I created in Hover's DNS Manager ever made it to their public DNS servers. I'm guessing they have some filtering on the back-end. Eventually I found that their DNS manager was also vulnerable to Cross-Site Scripting:
This time, it's a persistent Cross-Site Scripting vulnerability. Every time I navigate to my DNS management screen, I now get a dialog with my cookie. All a user had to do was add a TXT record with the following data:
<img src='https://drupal.org/files/images/sup-dog-magnet-c117515921.jpeg' onload='javascript:alert(document.cookie)\;'>They apparently do not even try to filter user-input at all. It's quite depressing.
Conclusion (tl;dr)
Hover seems to suffer from the inability to filter user-input. This has become a big problem over the last few years. There are many attacks stemming from this seemingly simple attack. I did my best, and tried reporting to them, but they seem unresponsive, and even when they are, it's not always useful.
I will be moving my domains elsewhere. I haven't yet decided where, and I have a bit of time, but I just don't feel safe keeping my data stored somewhere that can't even stop basic OWASP Top 10 vulnerabilities on their main page.
Hey Matt -
ReplyDeleteWe're sorry about the confusion around this. A couple of corrections for you -
1) I personally responded to your original issue back in August and made sure that we corrected the core problem. As you said, the issue was resolved pretty quickl.
2) On January 31, you contacted us about another issue. Your email was marked as spam and there was no other followup that I see. I guess we could have handled this better, and at the same time - the email you sent us looks like a form letter, so I see how it got lost in the noise. At the same time, we've been in contact before and I dont' exactly hide my contact information, so it might have been appropriate to send me your concerns directly.
3) One of our new staffers really tried hard to help you with your credit card processing issues. He's still waiting for a response to his last email trying to help. I'll let him know that you no longer have this issue - I doubt that he reads your blog.
4) Gotta say, I'm a bit disappointed that you decided to write a blog post about a vulnerability and submit it to Reddit before you notified us. In any event, we dropped everything we were doing this afternoon to make sure that we covered the issue you most recently raised to make sure that your disclosure didn't put our customers at risk. How you disclose is really up to you I guess - my personal take is that its usually cool to give the vendor a day or two lead on the bad guys.
I kinda get that you'd want to get credit for finding these exploits and how it can help you build profile for you blog and stuff - and at the same time, the next time - please consider the impact that your disclosures have on the countless users that might be using the service you are disclosing vulnerabilities on behalf of.
We've been around for 20 years this year - we didn't make it this far by ignoring security issues with our services - I think our track record stands on its own and I'd really urge you to reconsider your approach. Scoring points on the backs of others is a nice way to get traffic in the short term, and not a great way to build a solid reputation in the long term.
If there's anything we can do to make your move to another registrar any easier, please don't hesitate to ask. My email address is ross@hover.com and I'm available anytime you need a hand.
Ross Rader
General Manager, Hover
a service of Tucows Inc. - an ICANN accredited registrar since 1999
Simply the best home for your domain name.
Ross
DeleteThanks for your time and reply. I understand that you're running a business, and you have to do all the PR work. However, your reply is incorrect in a few spots that seem to discredit me. I've responded using your numbered items:
1) Yes, on my original issue, it was handled quickly. I applaud you for that one. Most vendors that I've reported to were never that quick.
2) There are a few issues with your system if customer support emails are being marked as spam.
You should not be automatically sending a reply titling "Request received: [title] (ticket #[number])" (your email response: https://www.dropbox.com/s/fvppwmvnq0cvq6d/hover002_confirmation.pdf). Receiving this email from you signals to me, that:
* You have successfully secured my message to you
* Its been added into your system (as it has been assigned a ticket number)
* You are aware of the issue.
My email that you state was flagged as spam (found here: https://www.dropbox.com/s/4c4ik9lmf6kw1lq/hover002.pdf), follows the same format which I use for all my security findings. This includes when I first emailed you back in August which was not flagged as spam.
Due to the automated response, I assumed you received my message. Unfortunately, I had no way to know that you didn't receive this issue, and weren't just sitting on it, since your system told me you had it.
As for your contact information, I double-checked, and not a single piece of hover email I received contain your email address on them. They all contain help@hover.com which is the address that I corresponded with. That's the only address I found on hover.com as well. I attempted to use the "proper channel" of communication. In the future, I will email ross@hover.com with anything I find.
3) Your employee shouldn't be waiting for a response to my last email, since the issue was closed on February 22nd due to inactivity on my part.
4) I too am disappointed that I had to write a blog post and submit it to Reddit to get the issue fixed. However, I did attempt to notify you beforehand, and more than just "a day or two lead". I gave a 30 day window to reply that you wanted to cooperate on a resolution. Unfortunately the help ticket got lost in your system somewhere.
I didn't do this for the credit, as you suggest. If that were the motive, I would have published the first security issue I found in August, or asked to be on some credits list like Google and the other big companies often do. I did this, because I simply wanted the issue fixed, since I was a paying customer with my own risks at stake, too. I know for one, I would not like it if someone was able to compromise my account and start registering domains with my credit card. Posting it to my blog and Reddit just helped get the word out, which resulted in your team fixing the issue.
This interaction between us really drives the point home as to why many researchers only publicly disclose. I went out of my way to report the issue to you, only to be attacked in your reply. At some point, you may consider setting up a bug bounty system since many companies (Mozilla, eBay, Etsy, PayPal, Facebook, etc) have found them valuable. They actually reward security researchers instead of berating them.