A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries. According to information obtained by KrebsOnSecurity.com, for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software.

WHMCS is a suite of billing and support software used mainly by Web hosting providers. Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server.

The company’s founder, Matt Pugh, posted a statement saying the firm had fallen victim to a social engineering attack in which a miscreant was able to impersonate Pugh to WHMCS’s own Web hosting provider, and trick the provider into giving up the WHMCS’s administrative credentials.

“Following an initial investigation I can report that what occurred today was the result of a social engineering attack,” Pugh wrote. “The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.”

Meanwhile, WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords.

As bad as things are right now for WHMCS, this rather public incident may be only part of the company’s security woes. For several years, I have been an unwelcome guest on an exclusive underground forum that I consider one of the few remaining and clueful hacking forums on the Underweb today. I’ve been kicked out of it several times, which is why I’m not posting any forum screenshots here.

Update, May 29, 12:35 p.m. ET: WHMCS just issued a patch to fix an SQL injection vulnerability that may be related to this 0day. See this thread from Pugh for more information.

Original post:

In February, a trusted and verified member of that forum posted a thread titled,” WHMCS 0-day,” saying he was selling a previously undocumented and unfixed critical security vulnerability in all version of WHMCS that provides direct access to the administrator’s password. From that hacker’s sales thread [link added]:

“No patches for it until now, vulnerability is a full blind SQL injection discovered by me. Wrote an exploit for it that works from command line which extracts admin hash from [database]. No need to decode md5 hash, can login directly with faking cookies. 🙂 Also can provide 3 methods to upload shell from the whmcs panel after logging in as admin. will sell exploit to maximum 3 buyers. -Price: $6k USD -Payment Method: LR [Liberty Reserve]”

According to this hacker, WHMCS doesn’t properly validate input supplied by users. As a result, an attacker who knew how to exploit this bug could force a WHMCS installation to cough up the credentials needed to administer it. The seller also is offering buyers an easy way to maintain remote access to compromised WHMCS installations via a Web browser.

I’ve reached out to WHMCS for comment, and will update this post in the event I hear back from them. I’m taking WHMCS at their word about the source of their breach, but it goes without saying that this vulnerability could have offered the attackers another way in (assuming that the company relies on its own billing and support software).

Just a short note about some of the media coverage I’ve seen on the larger breach story. Some reports have called WHMCS a “cloud billing provider,” but it doesn’t appear that WHMCS offers a hosted solution of their product exactly. Near as I can tell, the company sells its software for a one-time fee (with annual update fees), or for a monthly lease fee. They do seem to partner with other companies to provide them with licenses for resale, an in those cases support may have been handled by WHMCS. In this case, the software would call home to a licensing server, and those customers may have been among the most heavily impacted by this attack.

There are lengthy and interesting discussion threads about this directly from users of the software, at webhostingtalk.com and lowendtalk.com. Many users seem to be worried that the data stolen the now-public breach may include WHMCS direct customer data, as well as the location of the installed software and credit card data, and passwords for WHMCS installs that were done by them or supplied during troubleshooting.

According to one user I interviewed but who asked not to be quoted by name, the biggest problem with the software is that it stores the decryption key in its configuration file. “So any billing gateway that doesn’t use tokenization would have the credit card numbers stored in the MySQL database, encrypted with the key,” the user said.

Tags: blind sql injection, Liberty Reserve, lowendtalk.com, Matt Pugh, mysql, oday, underweb, webhostingtalk.com, whmcs, WHMCS 0day, zero day