Mass Hosting && PCI: A Case Study
Just as a quick follow up to my earlier post, here is a prime example of a "PCI Compliant" company who is probably not.
I attempted responsible disclosure several weeks ago and received no response from this company, a New York based web hosting and development company. I'm not trying to get them in trouble, so I redacted the screenshots and won't refer to them by name, but I have no doubt that anybody who cared could find them quickly enough.
As part of my research, I made a phone call to this company. I inquired about the PCI compliance of their servers, and the sales associate assured me that their servers are scanned regularly and are compliant. He did not tell me who their ASV is, and while I have my theories, I won't speculate publicly.
Regardless, this company has a login portal on their main web site. I know one of their customers, so I can tell you that the credentials used to log into this portal are used for customer cPanel accounts, billing system, and webmail. Those credentials are probably pretty valuable, right?
How did this site ever pass any kind of PCI testing? It's only a theory, but I suspect this is because it's on a mass-hosted server. When you hit the server directly by IP, it brings up the default cPanel page.
But this company was, by their claim, 100% PCI compliant. They told me that some customers also get their sites tested and are in turn PCI compliant.
I attempted responsible disclosure several weeks ago and received no response from this company, a New York based web hosting and development company. I'm not trying to get them in trouble, so I redacted the screenshots and won't refer to them by name, but I have no doubt that anybody who cared could find them quickly enough.
As part of my research, I made a phone call to this company. I inquired about the PCI compliance of their servers, and the sales associate assured me that their servers are scanned regularly and are compliant. He did not tell me who their ASV is, and while I have my theories, I won't speculate publicly.
Regardless, this company has a login portal on their main web site. I know one of their customers, so I can tell you that the credentials used to log into this portal are used for customer cPanel accounts, billing system, and webmail. Those credentials are probably pretty valuable, right?
How did this site ever pass any kind of PCI testing? It's only a theory, but I suspect this is because it's on a mass-hosted server. When you hit the server directly by IP, it brings up the default cPanel page.
But this company was, by their claim, 100% PCI compliant. They told me that some customers also get their sites tested and are in turn PCI compliant.
Labels: Full Disclosure, PCI-DSS, Shared Hosting
posted by mckt at
7:47 AM
2 Comments:
It's kind of yours of having redacted the screenshots, but it took literally seconds of google-hacking to find the website. As of today, the backups are still in plain view to anyone. I wouldn't approach that webhost within a 5 miles radius. Call me naive, but it always blow me away when I see that some professional websites are still doing that kind of errors.
Keep up with the good work!
ekse
By
Sébastien Duquette, At
November 30, 2009 2:06 PM
Post a Comment
<< Home