Wednesday, February 24, 2010

GoDaddy Accessed Hosted Sites Without Asking Permission

The big techblog HackerNews was aflame with this article today about a GoDaddy customer who detected that GoDaddy accessesed his VPS hosted server without his permission.

Here are the facts, in hopefully less technical jargon:
  1. This particular user was using VPS hosting (Virtual Private Hosting), which gives him significant control over his hosting. He is able to install software, because VPS simulates him having his own Linux server.

  2. This user was savvy enough to change the security configuration, so that he could detect if anyone tried to access his VPS.

  3. Someone did try to access his VPS. They had his correct old passwords and latest password, but could not login successfully because of his security configuration.

  4. The user later received an email from GoDaddy that they had tried unsuccessfully to access his server, because they suspected a malware problem. The user later communicated with GoDaddy by phone and got the same info.
To "security professionals" this is all a big deal because:
  1. GoDaddy personnel have access to your passwords and can poke around in your (their?) server before telling you about it.

  2. The most secure storage of passwords is a system where you can change your password, but there is no way to actually retrieve it (called a Hash). GoDaddy was not doing this.

  3. GoDaddy contacted the customer AFTER they tried to break into his (their?) VPS server.
Later, there was a posted response from the CSO (Chief Security Officer) of GoDaddy explaining what happened, and what changes they are going to make.

The big takeway from the response is that GoDaddy "should have contacted [the customer] before accessing the box, warning [the customer] of the possible malware, and that they will do that from now on (good to know)."

GoDaddy also claimed to have a company process for who/how passwords can be accessed. So not just anyone at Godaddy can access a hosted site.

As a techie geek, I must say that Godaddy's response sounds pretty good. I'm also glad there are extremely technical users like this guy who keep the big registrars on their toes for us.

Just keep in mind that you take some risk with your hosting company. So choosing a reputable company is important.

Happy Domain Hunting!


Post a Comment