Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Whitelist de-listing: HostDoc - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Whitelist de-listing: HostDoc

2»

Comments

  • There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Regards

  • @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

  • @HostDoc said:
    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Regards

    Once again, I invite you to share evidence. There are many more data points that have surfaced and surely these customers have "motivations" too?

  • @HostDoc said:

    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    Honestly, my motivation is that you hopefully take it seriously now and don't brush it off as minor because the only thing that leaked is personal details and not access to VPS themselves. In many cases, the data on the VPS is worthless compared to personal details.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Great, but what about personal details? Can you assure everyone their personal details are safe with you?

    I want to see you succeed @HostDoc but far out man, if it were me, I'd take the billing system down until it's fixed properly. This isn't personal, but my personal details are, you feel me?

    Thanked by 1poisson
  • muffinmuffin Member
    edited January 2020

    @dahartigan said:
    @HostDoc said:

    There is too much activity in this thread for me to reply to everyone individually.

    As mentioned on the other forum, I believe there are different motivations behind this thread but, let's leave emotions at the door.

    Honestly, my motivation is that you hopefully take it seriously now and don't brush it off as minor because the only thing that leaked is personal details and not access to VPS themselves. In many cases, the data on the VPS is worthless compared to personal details.

    A statement has now been issued addressing the data leak.
    I can only apologise for the problem at this junction.
    I would like to reassure all users that their accounts and VPS are secure and not accessable by outside parties.

    Great, but what about personal details? Can you assure everyone their personal details are safe with you?

    I want to see you succeed @HostDoc but far out man, if it were me, I'd take the billing system down until it's fixed properly. This isn't personal, but my personal details are, you feel me?

    He sent an email about it that it is already fixed. Also, I’d trust a random HostDoc’s customer over alpharacks and woothosting about personal details, just saying.

  • @poisson said:

    @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

    There's usually a disclamer on the condom package :smiley:

    Thanked by 1poisson
  • @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    As with most other tools - it can be good, or bad - depending on how it is used.
    We can't reasonably expect any single person to be constantly checking the service quality of more than a few hosting providers they themselves are using. Hence - I wouldn't even trust my own recommendation of hosting providers who's services I have used, but am no longer with them - even a 6 month old info can be considered not very relevant.

    However, it is as good as it gets for a starting point. Having a, what I believe to be, an objectively created and maintained (as good as possible) list of hosting providers who have been solid so far and have a good reputation (with an added disclaimer like: "as far as I know", or "to the best of my knowledge").

    Without such lists, one is left with "top 10 hosting providers" googling, which returns paid and suspicious reviews. Or go completely random.

    This way - at least the probability of starting off with a good low budget hosting provider is much greater. Takes fewer trial and errors.

    I, for one, appreciate the effort Poisson is making and think having such information is very useful and helpful. It seems as methodical and objective as possible and probably takes a lot of time and discipline to build and keep up to date.

    I also believe that this public sharing of info about HostDoc was with best intentions - not aimed at bashing them - as much as one can judge other people over the Internet.

    Reasonable course of action (in my opinion) would be a public disclosure by HostDoc about why it has happened, how it was resolved and what has been done to prevent the same/similar problem from re-occuring.

    If I were a hosting provider, think I'd prefer to be notified more discretely, if for no other reason, then to prevent any extra data leakage. Though I believe this was done in this case - months before this publication and it's been made public only after receiving no convincing information that the problem is being dealt with (hope HostDoc will correct me if I'm wrong).

    Either way, there's no shame in having a problem - it happens to everyone. Own it, fix it. Sure there are loads of third party apps that providers don't really have a control over and I'm sure it's a tough line of work. The bad that comes with the good.

    Thanked by 2dahartigan marvel
  • @marvel said:

    @poisson said:

    @marvel said:
    Probably should get rid of the whitelist all together. How much more evidence do you need that it's not helping anyone and only gives customers a false sense of security.

    Condoms and vaccines follow the same arguments. They are not 100% but people are very likely get STDs or infectious diseases without them. I operate on a probabilistic model, and so far I have been wrong once, which is acceptable.

    There's usually a disclamer on the condom package :smiley:

    You are right. Let me get the fine print on the whitelist this week! :)

    Thanked by 2marvel dahartigan
  • When it happened to me (seeing a Chinese account), I expressed the seriousness of the incident and was seemingly 'taken onboard'. To find out months later the the problem persisted is galling. As others have said, an immediate takedown of the Client Area should've been done, returning the software to basics. KISS philosophy.

  • muffin said: Also, I’d trust a random HostDoc’s customer over alpharacks and woothosting about personal details, just saying

    Nope. Chinese & Americans are the worst spammers, IME.

  • pullangcubopullangcubo Member
    edited January 2020

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Thanked by 2poisson AlwaysSkint
  • DPDP Administrator, The Domain Guy

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Ok that's not something pleasant to know :joy:

    Thanked by 2poisson dahartigan
  • poissonpoisson Member
    edited January 2020

    @thedp said:

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Ok that's not something pleasant to know :joy:

    I don't know what to feel any more. Every time a possible explanation is given, someone comes along with a somewhat credible account negating the explanation. 😂

    Thanked by 1dahartigan
  • As per the email sent a few hours ago, the leak was due to a tawk.to module?

    Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.

    Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
    This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
    The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

  • @pullangcubo said:
    As per the email sent a few hours ago, the leak was due to a tawk.to module?

    Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.

    Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
    This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
    The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

    Some of the more technically inclined LET members have looked at the code and said they don't believe the tawk.to module caused it.

  • @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Default theme without tawk?

  • @cybertech said:

    @pullangcubo said:

    @PieHasBeenEaten said:
    If a theme or theme integration is causing such a headache go back to the stock whmcs theme till you figure out wtf is going on. Really that should of happened after the first report.

    I reported/worked with the Doc regarding this issue a few weeks back and with my experience, even with the default WHMCS theme, at that time, the issue persisted.

    Default theme without tawk?

    The default theme still had tawk.to loaded via the module.
    At this time, we were working closely with WHMCS and the module had not yet been identified as the cause.


    Please note there are three ways to implement tawk.to to WHMCS.
    We initially used their module. Upon a template change, the code was manually added to the footer.tpl file.

    Thanked by 1AlwaysSkint
  • @HostDoc said:
    The default theme still had tawk.to loaded via the module.
    At this THAT time, we were working closely with WHMCS and the module had not yet been identified as the cause.

    I think this change clarifies the timeframe of the statement and avoids confusion (past vs present).

    Thanked by 1uptime
  • hzrhzr Member

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

  • MikeAMikeA Member, Patron Provider

    @hzr said:

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

    If I remember correctly it lets it pull data from WHMCS into Tawk.tk if the client is logged in, makes it simpler to confirm users and access stuff. I haven't used it in a long time though.

  • @dahartigan said:

    @poisson said:

    @iTDave said:
    I was reading the original post and I had this very thing happen to me multi-able times and I had reported it to them and HostDoc kept telling me I was the only client reporting the issue. This extremely concerning that it sounds like i was being lied to especially when it comes to my privacy.

    I am now accused of smearing the Doc. :)

    Yeah and me too, it's crazy actually!

    It's not smearing if it's on topic and true (have evidence). You want to bring up non-related issue like illegitimate kids or cheating on a gf, that would be smearing.

    Thanked by 1dahartigan
  • @MikeA said:

    @hzr said:

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

    If I remember correctly it lets it pull data from WHMCS into Tawk.tk if the client is logged in, makes it simpler to confirm users and access stuff. I haven't used it in a long time though.

    Sounds useful but pretty dangerous at the same time to let a 3rd party plugin access customer data. I don't know why anyone would implement that to begin with.

  • @marvel said:
    I don't know why anyone would implement that to begin with.

    Easy/quicker to spot an existing client and reference their service(s).

  • MikeAMikeA Member, Patron Provider
    edited January 2020

    @marvel said:

    @MikeA said:

    @hzr said:

    HostDoc said: The default theme still had tawk.to loaded via the module.

    I'm kind of surprised something like tawk would even require a module, instead of at best a footer change to add some JS.

    If I remember correctly it lets it pull data from WHMCS into Tawk.tk if the client is logged in, makes it simpler to confirm users and access stuff. I haven't used it in a long time though.

    Sounds useful but pretty dangerous at the same time to let a 3rd party plugin access customer data. I don't know why anyone would implement that to begin with.

    Plenty of live chat apps do it. WHMCS official one (developed by third party), LiveChatInc (which I use), Tawk.to. Regardless, that isn't his problem.

    Thanked by 1poisson
Sign In or Register to comment.