During the development of our new security SaaS, allowing anyone to check the security level of its own servers, we ran tests on one of our own websites. Since the website is hosted by one of the biggest hosting provider in Switzerland, we didn’t expect to find any critical vulnerabilities. It turned out we were wrong.

EDIT: To avoid any legal problems, we will not share the name of the provider for now. Thank you for your understanding.

The concept of this new service, called Security Guardian, is to provide people with a quick and straightforward way to check if their servers are vulnerable. You can just let him scan your servers daily and be alerted if a vulnerability is found. During our testing routine of the early versions of the product, we made him monitor the security of one of our websites hosted by one of the biggest swiss hosting provider to see how it performs on a prolonged period. The first results were quite good, no critical vulnerabilities were found. We were satisfied by those results and let it run while we kept working on other things.

After some quiet days, we received an alert telling us that a critical vulnerability had been found on the server. At first, we were sceptical. The vulnerability was about the MySQL database having a weak password. The severity was high (9/10) so we quickly began investigating the problem.

From the provided report, we learned more about the vulnerability. It was possible to log into the database remotely with the root account without any password, which was odd, knowing we were dealing with a major hosting provider in Switzerland.

Since the product was still in an early stage, we initially thought that it was probably a bug with our product. As the curious people we are, we decided to try to log into the database manually to see if the vulnerability was real. Well, as a matter of fact, that was not a bug in our product, we could really log into the database without any password from a conventional SQL client.

From here, we had access to all the databases present on that server, including those of hundreds of their clients. Hopefully, we had only read access on the name of the tables and could not write or delete anything. Still, it was a serious security problem for their clients, including us. We did not investigate more to see what harm could be caused with this account.

We contacted them within an hour and they reacted quickly. Shortly after, they began investigating the problem and fixed the vulnerability. Sadly, they did not give us more explanation on how it happened and how a root account was suddenly accessible without a password. All they told us was that they didn’t know how or why this user was there.

Since we were inside, we took a quick look to see who was accessing the database besides us. We found out that we were not alone in there, some people from China were having a look as well as we found one of their IP address.

Once they fixed the problem, the new scans confirmed that the vulnerability was gone. However, one week after the event, we received a new alert notifying us that the vulnerability was back. We quickly checked again manually and contacted the hosting provider to warn them. Sadly, their reaction was not the most professional one. They wrote us back that the vulnerability was fixed again but they ignored our interrogations about the impact of the recurring problem. Then, they blocked the IP address of our scanner so we could not scan their server anymore.

Finally, the moral of the story is that, even if you do not manage the server yourself, you should still care for its security and not trust blindly your hosting provider. Hard to say how long the hosting provider would have let this vulnerability wide open without our tool. This kind of things can happen to anyone, it is an example of why it is important to monitor the security of your servers continuously. The security of an asset is evolving with time and it is essential to be aware of the changes.

Discover Security Guardian for free



Infoteam Security offers you a comprehensive range of IT security testing and recommendations to ensure the availability of your information systems. You can consult our presentation slides or our website for further information about our services.

Do you want to receive our last news ? Subscribe