Afrihost says security flaw solved

UPDATE: Afrihost said in a statement on Tuesday that there was no massive security flaw at the internet service provider.

In a statement Afrihost said that no data, personal or payment information had been breached, and its clients were not at risk.

“Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever,” it said.

Responding to an article published on Fin24 quoting a Durban software expert, Afrihost also said its passwords are not stored in plain text, but are encrypted. See original article below.

The information only related to ADSL usernames and passwords, it said. “At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins).”

“Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.”

Afrihost also questioned the credentials of the expert and said Taylor Gibb, the software developer that revelead the flaw, had been banned from the Afrihost network two years ago.

“The fact is that Taylor Gibb had previously tried to publicly attack our brand on minor technical issues, and was ultimately fired as client for breach of our terms,”said Afrihost CEO Gian Visser. 

Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.

Software and security expert Taylor Gibb recently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.

An asymmetric digital subscriber line, or ADSL, allows for the fast transfer of data commonly used in households to access the internet

Afrihost, however, told Fin24 on Monday that the ADSL credentials had been encrypted. Representatives decrypt passwords and usernames before giving details to their customers.

“We have had this issue on our agenda to be addressed. What Taylor did was fast-track the process of resolving it,” General Manager of Afrihost, Artur da Silva, told Fin24.

Da Silva added that customers would no longer be able to receive their information over the phone. However, representatives would be able to assist in changing ADSL credentials and information.

Gibb had argued that allowing support staff to decrypt credentials at will was not safe, as they could write them down, go home and share them with a friend, for example.

“All that data is now at risk since it was so easily accessible. If a dump of Afrihost user ADSL credentials had to be leaked, user details are at risk of being stolen and if someone else had to use another user’s ADSL credentials they could for example get 40 Mbps of internet speed for free,” he told Fin24.

Gibb, a Microsoft Regional Director, the CEO at Developer Hut and a senior software development engineer at Derivco, alerted Afrihost to the issue in a Facebook post on Monday.

He said he had been banned from the Afrihost network two years ago, but had managed to circumvent the ban and expose the security vulnerability.

“Afrihost admitted that they knew about storing usernames and passwords in plain text for years and its on their backlog to fix. They called me to tell me this at 19:00 on the evening that I made the announcement. I have tried to contact the guy who called me, but all he says is that Afrihost refuses to discuss their security policies.

“Today I log on only to find they have hidden the password control box from the UI (user interface). This does not constitute encrypting personally identifiable information and still leaves your information at risk. They haven’t encrypted anything as it would require all users to reset their password,” Gibb said in his Facebook post on Monday.

Gibb said since the support staff have had access to this information and could have shared it, this data is now at risk and advised that Afrihost users should change these credentials especially when using them on other websites. — Fin 24

This article was updated to reflect a statement by Afrihost. 

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Related stories


Subscribers only

Poachers in prisons tell their stories

Interviews with offenders provide insight into the structure of illegal wildlife trade networks

Covid-overflow hospital in ruins as SIU investigates

A high-level probe has begun into hundreds of millions of rand spent by the Gauteng health department to refurbish a hospital that is now seven months behind schedule – and lying empty

More top stories

Covid will decide if home refurb boom continues

If herd immunity is reached and life returns to ‘normal’, people may switch spending to things they gave up and the desire to DIY may subside

Luxor Paints loses CCMA case, must pay workers R40-m in...

Some of the 181 workers were dismissed for carrying sticks during a strike, others were dismissed even though they weren’t at the picket, but were deemed guilty by association

Covid-19 on the rise in Zimbabwe

The South African variant of the virus is ‘clinically present’, while a lockdown tries to limit new infections

Bitcoin rules take edge off crypto-nite

New regulations for cryptocurrency exchanges could boost investor confidence in such assets

press releases

Loading latest Press Releases…