Shaw Internet's SicCash.com has been publicly exposed as having some rather sensitive security issues, raising questions about the company's back-end affiliate program software, Executive Stats.
Industry security consultant and blog impresario Chris McCoy, aka Fris, posted links last night on adult webmaster board GFY revealing that bank transactions, directories, and database user log-in and password information were accessible through Shaw Internet's SicCash.com.
“All their data was out in the open, showing the MySQL user names and passwords, the Epoch usernames and passwords, FTP usernames and passwords, WTS check transactions and all the sites [SicCash.com] does billing for,” McCoy tells AVNOnline.com.
The links have since been removed from GFY and the system has reportedly been fixed, but Shaw Internet owner Brad Shaw has taken issue with how the situation came to light.
“This was not an ES issue. It was a server security issue that a hacker uncovered. The issue was with our server setup and has nothing to do with our clients,” he says.
Shaw said he has since made a report to the secret service and plans to prosecute McCoy.
Although doing so in a public forum brings his motives into question, McCoy says he had good reason for pointing out the flaws to Shaw, who has been critical of competitor programs such as NATS, whose bugs have been similarly exposed on GFY.
“If he sells his system for $25,000 to an affiliate program, it’s a vulnerable system and then someone breaks into say, Cellphonecash.com, steals credit cards and uses them to purchase things, people can sue cellphonecash.”
You could call what McCoy did an independent evaluation. He found the flaws by checking various URLs by trial and error and found the Executive Stats directory structure very easy to guess.
“It was pretty much putting something as a default, like putting your log-in as admin and password as admin—not smart. You hide things for a reason—to keep people out,” McCoy says. “It’s like putting all of your content for a content company in www.domain.com/videos.”
While Shaw has been, at times, critical of his software, NATS co-founder Fabian Thylmann refused to throw stones and agreed with Shaw’s take on the situation. “Software is very hard to get 100 percent bug free. The things posted on GFY are, like they pointed out, server issues and not directly software issues. One could argue that the files should not have been in a web-accessible location in the first place, but this thing has happened with many other software packages before, and I am sure it will happen again. ”
McCoy concurred, “Every piece of software has its problems. Windows XP is reported to have more than 100,000 bugs. NATS had bugs—all code does. You find them and fix them; that’s why you have updates.”
Meanwhile, the situation has turned into high drama.
“We know who this Fris character is. He came to us with holes in our system and wanted money to fix them. So in other words, he hacked us, then wanted us to pay him not to make the hacks public,” Shaw says.
McCoy, however, tells AVNOnline.com that he wasn’t worried about Shaw or the potential of prosecution.
“I didn’t do anything illegal. I accessed publicly available URLs,” he says. “I did not break into a system.”
