How do you tell a web hosting company

How do you tell a web hosting company that they have a security issue and also other issues about their services but they ignore the issue and issue a standard rebuttal that is scripted, puts the blame elsewhere, typical ones being the users PC, Internet connection, network bottlenecks that are causing the issue of being able to log in to the SQL server via a PHPMyAdmin [PMA] panel that loads from my browser history and I have not logged in to either the CP or the PMA admin page.

I never save passwords, for this very reason, so I pointed this out and they claimed it was secure because its on an internal IP address…

FFS, I did a POC this morning, demonstrated to my friend who had never logged in to the servers and I said that he should have had a 403, 404 page or been redirect to the user CP on the web host CP like what happens in my web host, if you time out, close the page, reboot, you have log in on the CP, go through the CP to the databases, click a button to manage the database on PMA.

Long story short, I have other concerns when I read up that these boys, and I do mean boys, fresh faced out of boarding school who started the company at 14 years old, 4 years on, have several internet based companies and are happy to gloat on Linkdin and in their product material, really inspires confidence I can tell you…

So despite telling these boys about their serious security blunder in how they set up their servers and internal workings, they refuse to accept a fundamental fact that they have a security glitch that could be exploited, making hackers lives easier…

So how does an old hat like me discuss this issue with a bunch of Eton upstarts?

When I found myself in a similar position, I simply took my business elsewhere. If you can’t get them to face reality, there’s not much else you can do.

2 Likes

You have told them and if they ignore you I can not see any point in discussing it further and as @TechnoBear says move your sites off their server ASAP.

2 Likes

Yep tell them with your feet :slight_smile:

As everyone else has said, move your websites off their servers, ASAP.

And then if it still bothers you, that they are ignoring what you are saying, if they have a forum, post there and ask them how to report it, a bit more publicly, where all their other customers can see your post and how they handle it.

Maybe they will pay a bit more attention to what you have to say there, rather than going through their 1-on-1 support ticket system or e-mail, where they probably employ people to answer stuff using macros instead of hand typed answers.

Be careful not to give too much details about the vulnerability out in the open on their forum though, as you wouldn’t want anyone to take that kind of info and do bad things with it.

1 Like

IDK about that because as of today it has thrown up some interesting bits of information that I have discussed with Consumer Direct and also the Information Commissioners Office who have both agreed with some points I raised and had a comparator to work with.

Point one in the sales blurb, on further investigation, I found the parent company based on use of google and a bit of hacking and this company is proud dto announce that at the age of 14 the founder started a web hosting company.

Ummm, sorry but you can not do that until 16, it is impossible for a child in the UK to legally start a company, thats the law. Yes you can work at the age of 13 and in some cases younger but those need special licences to do that.

Point two, they [the hosting company] is in breach of contract for the said services for failing to comply with point three.

Point three, the ICO states that the company have failed to comply with the 7th principle of the DPA1998 which covers data they hold and data that they process outside the organisation or business… eg, Banking information as one example, Credit checks as another.

It might sound a pretty trivial matter, it does however warrant closer inspection for users rights and what hosting companies are obligated to provide. It is not as simple on first inspection, this has opened a can of worms because even with ADR schemes in place, in some countries this means that compensation is due or refunds or restitution that makes good on any losses for failing to provide goods and services, like in the UK its SOGA1979 & 82 that defines some consumer rights, others fall under the legislation for Consumer Rights Act and also Trading Standards and other authorities that regulate like OfCom or ICO…

Too much info is my crow bar, the ultimatum will come in the form a do or die scenario where I outline what will happen when I put my black hat on and that their take down will not be because of me but because of their arrogance and cavalier approach to internet security.

Hey, I get that you are irritated, maybe even a bit angry, towards the hosting company for refusing to listen to you, but what do you have against their customers? What did they do to you? They are the innocent ones in all of this. Why put their websites in danger if you don’t have to? At least give the customers a chance.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.