Afrihost says security flaw solved

UPDATE: Afrihost said in a statement on Tuesday that there was no massive security flaw at the internet service provider.

In a statement Afrihost said that no data, personal or payment information had been breached, and its clients were not at risk.

“Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever,” it said.

Responding to an article published on Fin24 quoting a Durban software expert, Afrihost also said its passwords are not stored in plain text, but are encrypted. See original article below.

The information only related to ADSL usernames and passwords, it said. “At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins).”

“Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.”

Afrihost also questioned the credentials of the expert and said Taylor Gibb, the software developer that revelead the flaw, had been banned from the Afrihost network two years ago.

“The fact is that Taylor Gibb had previously tried to publicly attack our brand on minor technical issues, and was ultimately fired as client for breach of our terms,”said Afrihost CEO Gian Visser. 

Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.

Software and security expert Taylor Gibb recently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.

An asymmetric digital subscriber line, or ADSL, allows for the fast transfer of data commonly used in households to access the internet

Afrihost, however, told Fin24 on Monday that the ADSL credentials had been encrypted. Representatives decrypt passwords and usernames before giving details to their customers.

“We have had this issue on our agenda to be addressed. What Taylor did was fast-track the process of resolving it,” General Manager of Afrihost, Artur da Silva, told Fin24.

Da Silva added that customers would no longer be able to receive their information over the phone. However, representatives would be able to assist in changing ADSL credentials and information.

Gibb had argued that allowing support staff to decrypt credentials at will was not safe, as they could write them down, go home and share them with a friend, for example.

“All that data is now at risk since it was so easily accessible. If a dump of Afrihost user ADSL credentials had to be leaked, user details are at risk of being stolen and if someone else had to use another user’s ADSL credentials they could for example get 40 Mbps of internet speed for free,” he told Fin24.

Gibb, a Microsoft Regional Director, the CEO at Developer Hut and a senior software development engineer at Derivco, alerted Afrihost to the issue in a Facebook post on Monday.

He said he had been banned from the Afrihost network two years ago, but had managed to circumvent the ban and expose the security vulnerability.

“Afrihost admitted that they knew about storing usernames and passwords in plain text for years and its on their backlog to fix. They called me to tell me this at 19:00 on the evening that I made the announcement. I have tried to contact the guy who called me, but all he says is that Afrihost refuses to discuss their security policies.

“Today I log on only to find they have hidden the password control box from the UI (user interface). This does not constitute encrypting personally identifiable information and still leaves your information at risk. They haven’t encrypted anything as it would require all users to reset their password,” Gibb said in his Facebook post on Monday.

Gibb said since the support staff have had access to this information and could have shared it, this data is now at risk and advised that Afrihost users should change these credentials especially when using them on other websites. — Fin 24

This article was updated to reflect a statement by Afrihost. 

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Related stories

The future of learning is here — and it’s mobile

The smartphone is a crucial tool for enabling lifelong learning and has the potential to democratise education, particularly with internet penetration and access to data both continuing to rise

Tracking, tracing and transparency

Governments are processing tons of personal information to limit the spread of Covid-19. They must ensure this does not cost us our privacy

South Africa’s southern right whale population is falling, research finds

Researcher Els Vermeulen has a whale of a time conducting an annual aerial survey of the country’s southern right whales. But decreasing numbers reveal the depressing nature of this work

Hollowing of skills and defunding of Stats SA works for a failing state

Perhaps the government does want us to know how bad things really are

Caring for students goes beyond the teaching project

The Covid-19 pandemic gives universities an opportunity to find new ways of ensuring the health and well-being of students

Leading others in a time of crisis

Like other sectors, higher education should continue to respond optimally to the coronavirus and map out a new path

Subscribers only

Toxic power struggle hits public works

With infighting and allegations of corruption and poor planning, the department’s top management looks like a scene from ‘Survivor’

Free State branches gun for Ace

Parts of the provincial ANC will target their former premier, Magashule, and the Free State PEC in a rolling mass action campaign

More top stories

Mboweni plans to freeze public sector wage increases for the...

The mid-term budget policy statement delivered by the finance minister proposes cutting all non-interest spending by R300-billion.

SAA to receive R10.5-billion government bailout after all

Several struggling state-owned entities received extra funds after the medium term budget policy speech

Malawi court judges win global prize

Members of the small African country’s judiciary took a stand for democracy to international approval

press releases

Loading latest Press Releases…

The best local and international journalism

handpicked and in your inbox every weekday