UPDATE: Afrihost said in a statement on Tuesday that there was no massive security flaw at the internet service provider.
In a statement Afrihost said that no data, personal or payment information had been breached, and its clients were not at risk.
“Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever,” it said.
Responding to an article published on Fin24 quoting a Durban software expert, Afrihost also said its passwords are not stored in plain text, but are encrypted. See original article below.
The information only related to ADSL usernames and passwords, it said. “At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins).”
“Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.”
Afrihost also questioned the credentials of the expert and said Taylor Gibb, the software developer that revelead the flaw, had been banned from the Afrihost network two years ago.
“The fact is that Taylor Gibb had previously tried to publicly attack our brand on minor technical issues, and was ultimately fired as client for breach of our terms,”said Afrihost CEO Gian Visser.
Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.
Software and security expert Taylor Gibb recently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.
An asymmetric digital subscriber line, or ADSL, allows for the fast transfer of data commonly used in households to access the internet
Afrihost, however, told Fin24 on Monday that the ADSL credentials had been encrypted. Representatives decrypt passwords and usernames before giving details to their customers.
“We have had this issue on our agenda to be addressed. What Taylor did was fast-track the process of resolving it,” General Manager of Afrihost, Artur da Silva, told Fin24.
Da Silva added that customers would no longer be able to receive their information over the phone. However, representatives would be able to assist in changing ADSL credentials and information.
Gibb had argued that allowing support staff to decrypt credentials at will was not safe, as they could write them down, go home and share them with a friend, for example.
“All that data is now at risk since it was so easily accessible. If a dump of Afrihost user ADSL credentials had to be leaked, user details are at risk of being stolen and if someone else had to use another user’s ADSL credentials they could for example get 40 Mbps of internet speed for free,” he told Fin24.
Gibb, a Microsoft Regional Director, the CEO at Developer Hut and a senior software development engineer at Derivco, alerted Afrihost to the issue in a Facebook post on Monday.
He said he had been banned from the Afrihost network two years ago, but had managed to circumvent the ban and expose the security vulnerability.
“Afrihost admitted that they knew about storing usernames and passwords in plain text for years and its on their backlog to fix. They called me to tell me this at 19:00 on the evening that I made the announcement. I have tried to contact the guy who called me, but all he says is that Afrihost refuses to discuss their security policies.
“Today I log on only to find they have hidden the password control box from the UI (user interface). This does not constitute encrypting personally identifiable information and still leaves your information at risk. They haven’t encrypted anything as it would require all users to reset their password,” Gibb said in his Facebook post on Monday.
Gibb said since the support staff have had access to this information and could have shared it, this data is now at risk and advised that Afrihost users should change these credentials especially when using them on other websites. — Fin 24
This article was updated to reflect a statement by Afrihost.