Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Whitelist de-listing: HostDoc
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Whitelist de-listing: HostDoc

It is unfortunate but HostDoc has been de-listed from The Whitelist: https://lowendboxes.review/whitelist-de-listing-hostdoc/

There are multiple reports of random customer data leaks stretching back to October 2019. Evidence is detailed in the announcement above.

HostDoc has been a great provider but this random leaking of customers' private detail is a red line. There are many other great alternative providers on The Whitelist if you are concerned, and I also have posted some extended reviews on LowEndBoxes Review if you need fine-grained data on alternative providers (more to come).

If there is credible future evidence that customer data isn't being randomly leaked any more, HostDoc may be reinstated.

Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

«1

Comments

  • I would really like to see the dox fix this once and for all, it's been reported many times and keeps persisting. I was told it was whmcs caching pages, and that clearing the cache "resolved" the issue but it seems like it's something deeper than that perhaps.

    I'm not sure how this will end to be honest..

    Paging @HostDoc

    This is probably a good time to announce that I'm not associated with HostDoc for a while now, and this has actually made me decide to cancel my services. My reason is the apparent lack of seriousness taken to resolve it, even I get a spiel about it being cleared and not coming back.

    Shitty times indeed.

    Purveyor of high quality potassium

  • havocxhavocx Member
    edited January 28

    I've seen this myself before & reported it too. Changed my hostname as a result because that seems to be the most tangible info leaking (e.g. if it's same as server url)

    Definitely overdue for a fix.

  • It's a very serious problem. I hope it can be solved

  • @havocx said:
    I've seen this myself before & reported it too. Changed my hostname as a result because that seems to be the most tangible info leaking (e.g. if it's same as server url)

    Definitely overdue for a fix.

    If a visitor lands on the client area main summary page, it leaks your name and address. (This is the worst part imo)
    If they land on the services page, your hostnames and package types are leaked.
    If they land on the tickets page, your tickets will show.

    Thanked by 2AlwaysSkint havocx

    Purveyor of high quality potassium

  • I was reading the original post and I had this very thing happen to me multi-able times and I had reported it to them and HostDoc kept telling me I was the only client reporting the issue. This extremely concerning that it sounds like i was being lied to especially when it comes to my privacy.

  • @iTDave said:
    I was reading the original post and I had this very thing happen to me multi-able times and I had reported it to them and HostDoc kept telling me I was the only client reporting the issue. This extremely concerning that it sounds like i was being lied to especially when it comes to my privacy.

    I am now accused of smearing the Doc. :)

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • jackbjackb Member, Provider
    edited January 28

    @dahartigan said:

    @havocx said:
    I've seen this myself before & reported it too. Changed my hostname as a result because that seems to be the most tangible info leaking (e.g. if it's same as server url)

    Definitely overdue for a fix.

    If a visitor lands on the client area main summary page, it leaks your name and address. (This is the worst part imo)
    If they land on the services page, your hostnames and package types are leaked.
    If they land on the tickets page, your tickets will show.

    Sounds like a caching reverse proxy is misconfigured. Whmcs pages and similar should be no-store.

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • @iTDave said:
    I was reading the original post and I had this very thing happen to me multi-able times and I had reported it to them and HostDoc kept telling me I was the only client reporting the issue. This extremely concerning that it sounds like i was being lied to especially when it comes to my privacy.

    Yeah mate, definitely not the only one it happened to. Even now, as of a minute ago on LES, his approach is to just keep fixing it as it happens and blame us for bringing it to attention so it can't be swept under the rug anymore..

    Purveyor of high quality potassium

  • @poisson said:

    @iTDave said:
    I was reading the original post and I had this very thing happen to me multi-able times and I had reported it to them and HostDoc kept telling me I was the only client reporting the issue. This extremely concerning that it sounds like i was being lied to especially when it comes to my privacy.

    I am now accused of smearing the Doc. :)

    Yeah and me too, it's crazy actually!

    @jackb said:

    @dahartigan said:

    @havocx said:
    I've seen this myself before & reported it too. Changed my hostname as a result because that seems to be the most tangible info leaking (e.g. if it's same as server url)

    Definitely overdue for a fix.

    If a visitor lands on the client area main summary page, it leaks your name and address. (This is the worst part imo)
    If they land on the services page, your hostnames and package types are leaked.
    If they land on the tickets page, your tickets will show.

    Sounds like a caching reverse proxy is misconfigured. Whmcs pages and similar should be no-store.

    It's possible, perhaps @HostDoc can look into those suggestions

    Purveyor of high quality potassium

  • hzrhzr Member, Moderator

    Wtf is "just keep fixing it"? Manually clearing the cache?

  • dahartigan said: whmcs caching pages

    I wasn't care about the mentioned issues before reading this. Now I remember, when I enter their WHMCS pages, on the top right corner there's something like "Hello, 用户名".
    I refresh the page then it's gone.

  • @hzr said:
    Wtf is "just keep fixing it"? Manually clearing the cache?

    Pretty much :-S

    Someone will report it, it gets "fixed", repeat.

    @Coffee said:

    dahartigan said: whmcs caching pages

    I wasn't care about the mentioned issues before reading this. Now I remember, when I enter their WHMCS pages, on the top right corner there's something like "Hello, 用户名".
    I refresh the page then it's gone.

    That's what the problem is, those details belong to someone else. Someone else will log in and see your name and address too. That's why it's serious. Free personal details for all bad guys with no effort.

    Purveyor of high quality potassium

  • jarjar Provider

    I remember something like that happening with a large provider in the past due to CloudFlare caching while attempting to mitigate a large DDOS attack. Maybe @HostDoc would share with us more about the software stack used on that server and we could brainstorm together, help a brother out you know.

  • Who let the docs out?

  • He has so many site with different theme/layout/whatever does not help either. I always confused when visit his site, some oder page has currency option, some don't...

  • @GayRun said:
    It's a very serious problem. I hope it can be solved

    Congrats on your first post

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • @jar said:
    caching while attempting to mitigate a large DDOS

    I think @HostDoc was using OVH mitigation system at one point (which was very quick to block my curious pings ... lol)

    Thanked by 1dahartigan

    the Amitz.party lives on!

  • thedpthedp Member

    Yes I did experience this in the past and raised it to the Doc right away.

    Thanked by 1dahartigan

    DomainPeon
    Ongoing Auctions: LowEndTalk

  • @dahartigan said:
    Someone will report it, it gets "fixed", repeat.

    Sounds like my Sydney VPS that is clearly on a server that is heavily oversold considering it had 50-70% IOwait and server CPU on the hypervisor would hit 70-90% utilization and was met with the response of one else is complaining about the server speed. Sounds like I given the same approach to There billing system that nobody else was having issues with.. lies have a funny way to come back to bite you eventually HostDoc!!!

    Thanked by 2Edmond dahartigan
  • @iTDave said:

    @dahartigan said:
    Someone will report it, it gets "fixed", repeat.

    Sounds like my Sydney VPS that is clearly on a server that is heavily oversold considering it had 50-70% IOwait and server CPU on the hypervisor would hit 70-90% utilization and was met with the response of one else is complaining about the server speed. Sounds like I given the same approach to There billing system that nobody else was having issues with.. lies have a funny way to come back to bite you eventually HostDoc!!!

    Ah yeah the SYD shitshow. You're definitely not the only person to notice that either. Extrapolate that across all experiences and you'll see the pattern emerge...

    Purveyor of high quality potassium

  • I wished i have screenshot of this same issue.. Chinese name in the profile. I have LA RYZEN plan...

  • thedpthedp Member

    @okgoogle said:
    I wished i have screenshot of this same issue.. Chinese name in the profile. I have LA RYZEN plan...

    I do but I'd rather not post it here due to privacy/sensitivity concerns.

    DomainPeon
    Ongoing Auctions: LowEndTalk

  • @thedp said:

    @okgoogle said:
    I wished i have screenshot of this same issue.. Chinese name in the profile. I have LA RYZEN plan...

    I do but I'd rather not post it here due to privacy/sensitivity concerns.

    Agreed.. For support or proof of ongoing issues...

  • What is this issue about, since I've never encountered one ?

  • @Coffee said:

    dahartigan said: whmcs caching pages

    I wasn't care about the mentioned issues before reading this. Now I remember, when I enter their WHMCS pages, on the top right corner there's something like "Hello, 用户名".
    I refresh the page then it's gone.

    I faced exactly same issue i was surprised to see some other services under my hostdoc account in whmcs and another account name was showing up i refreshed the page and it was gone.

  • NyrNyr Member

    The so called whitelist is kind of confusing to begin with and it seems like a list of hosts which just play cool with the community. It lacks plenty of big established and reliable providers and includes others which will need to restructure significantly or disappear within very few years (HostDoc being one of them).

    Don't take me wrong, the effort to help new community members away from scams and every contribution in that regard are of course helpful.

    Thanked by 1TimboJones
  • poissonpoisson Member
    edited January 28

    @Nyr said:
    The so called whitelist is kind of confusing to begin with and it seems like a list of hosts which just play cool with the community. It lacks plenty of big established and reliable providers and includes others which will need to restructure significantly or disappear within very few years (HostDoc being one of them).

    Don't take me wrong, the effort to help new community members away from scams and every contribution in that regard are of course helpful.

    I am happy to include providers I have missed if you send them over. This is a side project and I do not promise comprehensiveness but if I come to know of more reliable additions, I will add them in. This project also depends on the community.

    Also, HostDoc was doing well, so the evidence wasn't against him. Furthermore, I don't want to penalise newer providers unnecessarily so I do check for user feedback and provider's responsiveness and attitude to make the decision. Ultimately, I have to make the judgement call, and I think the list, on balance of probability, is way safer than random Googling.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • marvelmarvel Member without signature

    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Thanked by 1TimboJones
  • IMO the whitelist is just a recommended list that at least for now worth the money. All of the providers on the whitelist that I've used provided awesome service and was really worth the money.

    I'm pretty sure @poisson was trying to list providers that he thinks is worth the money, which I think is a great side project. :)

    Thanked by 1dahartigan
  • PieHasBeenEatenPieHasBeenEaten Member, Moderator

    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

  • There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Regards

  • @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • @HostDoc said:
    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Regards

    Once again, I invite you to share evidence. There are many more data points that have surfaced and surely these customers have "motivations" too?

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • @HostDoc said:

    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    Honestly, my motivation is that you hopefully take it seriously now and don't brush it off as minor because the only thing that leaked is personal details and not access to VPS themselves. In many cases, the data on the VPS is worthless compared to personal details.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Great, but what about personal details? Can you assure everyone their personal details are safe with you?

    I want to see you succeed @HostDoc but far out man, if it were me, I'd take the billing system down until it's fixed properly. This isn't personal, but my personal details are, you feel me?

    Thanked by 1poisson

    Purveyor of high quality potassium

  • muffinmuffin Member
    edited January 28

    @dahartigan said:
    @HostDoc said:

    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    Honestly, my motivation is that you hopefully take it seriously now and don't brush it off as minor because the only thing that leaked is personal details and not access to VPS themselves. In many cases, the data on the VPS is worthless compared to personal details.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Great, but what about personal details? Can you assure everyone their personal details are safe with you?

    I want to see you succeed @HostDoc but far out man, if it were me, I'd take the billing system down until it's fixed properly. This isn't personal, but my personal details are, you feel me?

    He sent an email about it that it is already fixed. Also, I’d trust a random HostDoc’s customer over alpharacks and woothosting about personal details, just saying.

  • marvelmarvel Member without signature

    @poisson said:

    @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

    There's usually a disclamer on the condom package :smiley:

    Thanked by 1poisson
  • @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    As with most other tools - it can be good, or bad - depending on how it is used.
    We can't reasonably expect any single person to be constantly checking the service quality of more than a few hosting providers they themselves are using. Hence - I wouldn't even trust my own recommendation of hosting providers who's services I have used, but am no longer with them - even a 6 month old info can be considered not very relevant.

    However, it is as good as it gets for a starting point. Having a, what I believe to be, an objectively created and maintained (as good as possible) list of hosting providers who have been solid so far and have a good reputation (with an added disclaimer like: "as far as I know", or "to the best of my knowledge").

    Without such lists, one is left with "top 10 hosting providers" googling, which returns paid and suspicious reviews. Or go completely random.

    This way - at least the probability of starting off with a good low budget hosting provider is much greater. Takes fewer trial and errors.

    I, for one, appreciate the effort Poisson is making and think having such information is very useful and helpful. It seems as methodical and objective as possible and probably takes a lot of time and discipline to build and keep up to date.

    I also believe that this public sharing of info about HostDoc was with best intentions - not aimed at bashing them - as much as one can judge other people over the Internet.

    Reasonable course of action (in my opinion) would be a public disclosure by HostDoc about why it has happened, how it was resolved and what has been done to prevent the same/similar problem from re-occuring.

    If I were a hosting provider, think I'd prefer to be notified more discretely, if for no other reason, then to prevent any extra data leakage. Though I believe this was done in this case - months before this publication and it's been made public only after receiving no convincing information that the problem is being dealt with (hope HostDoc will correct me if I'm wrong).

    Either way, there's no shame in having a problem - it happens to everyone. Own it, fix it. Sure there are loads of third party apps that providers don't really have a control over and I'm sure it's a tough line of work. The bad that comes with the good.

    Thanked by 2dahartigan marvel

    Mostly harmless™

    I/O Gremlin

  • @marvel said:

    @poisson said:

    @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

    There's usually a disclamer on the condom package :smiley:

    You are right. Let me get the fine print on the whitelist this week! :)

    Thanked by 2marvel dahartigan

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • When it happened to me (seeing a Chinese account), I expressed the seriousness of the incident and was seemingly 'taken onboard'. To find out months later the the problem persisted is galling. As others have said, an immediate takedown of the Client Area should've been done, returning the software to basics. KISS philosophy.

    Long live LowEndInfo.com

  • muffin said: Also, I’d trust a random HostDoc’s customer over alpharacks and woothosting about personal details, just saying

    Nope. Chinese & Americans are the worst spammers, IME.

    Long live LowEndInfo.com

  • pullangcubopullangcubo Member
    edited January 28

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Thanked by 2poisson AlwaysSkint
  • thedpthedp Member

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Ok that's not something pleasant to know :joy:

    Thanked by 2poisson dahartigan

    DomainPeon
    Ongoing Auctions: LowEndTalk

  • poissonpoisson Member
    edited January 28

    @thedp said:

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Ok that's not something pleasant to know :joy:

    I don't know what to feel any more. Every time a possible explanation is given, someone comes along with a somewhat credible account negating the explanation. 😂

    Thanked by 1dahartigan

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • As per the email sent a few hours ago, the leak was due to a tawk.to module?

    Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.

    Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
    This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
    The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

  • @pullangcubo said:
    As per the email sent a few hours ago, the leak was due to a tawk.to module?

    Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.

    Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
    This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
    The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

    Some of the more technically inclined LET members have looked at the code and said they don't believe the tawk.to module caused it.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Default theme without tawk?

    Remember the value of LET is purely based on its traffic.

  • @cybertech said:

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Default theme without tawk?

    The default theme still had tawk.to loaded via the module.
    At this time, we were working closely with WHMCS and the module had not yet been identified as the cause.


    Please note there are three ways to implement tawk.to to WHMCS.
    We initially used their module. Upon a template change, the code was manually added to the footer.tpl file.

    Thanked by 1AlwaysSkint
  • @HostDoc said:
    The default theme still had tawk.to loaded via the module.
    At this THAT time, we were working closely with WHMCS and the module had not yet been identified as the cause.

    I think this change clarifies the timeframe of the statement and avoids confusion (past vs present).

    Thanked by 1uptime
  • hzrhzr Member, Moderator

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

  • MikeAMikeA Member, Provider

    @hzr said:

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

    If I remember correctly it lets it pull data from WHMCS into Tawk.tk if the client is logged in, makes it simpler to confirm users and access stuff. I haven't used it in a long time though.

    ExtraVM - AMD Ryzen VPS starting @ $3.50
    USA (TX, VA, FL), CA, FR, UK, SGP, AU, RU

Sign In or Register to comment.