14 DAY TRIAL // British IT consultant Paul Moore has identified several security holes in the systems of 123Reg (Webfusion), the UK’s largest web registrar.
The expert has identified cross-site request forgery (CSRF), persistent and non-persistent cross-site scripting (XSS), and other types of vulnerabilities in 123Reg’s website.
Moore has demonstrated how the CSRF flaw can be leveraged by an attacker to completely take over user accounts. The vulnerability exists because the user profile update page on 123Reg’s website contains a form that has no relationship with 123Reg.
This allows cybercriminals to pre-populate the form with any values and submit it. Once the arbitrary profile information is submitted, the attacker can change the password and take over the account.
“If you store customer data, credit card information, encryption keys or anything of value... you might want to check your logs thoroughly. That is, of course, assuming the hacker hasn't deleted them to cover their tracks,” Moore warns.
The XSS vulnerabilities on 123Reg can be exploited for phishing attacks.
“With social engineering however, it's quite easy to target a particular user/business,” the expert noted.
Another issue with the web hosting company’s website is that it exposes sensitive information to traffic sniffing. HTTPS is utilized, but incorrectly, allowing an attacker to intercept login data.
The expert says he has notified 123Reg of these issues, but the company doesn’t appear to be in a hurry to fix them, despite the fact that another researcher warned them of the vulnerabilities three weeks prior to Moore’s notification.
On Monday, when Moore made his research public, he claimed that the vulnerabilities were still unfixed. That is why he advises website owners to move to another provider.