Billing Changes

DarkSorrow · #1 05-13-2007, 02:52 AM

I would like to show you how unsecure your billing portal is. It is a pure security risk to email our password and login details on monthly invoices!! Please remove this feature or block it!

Sample from Billing Invoice

Paypal

If you pay using paypal DO NOT send a payment to our email address. To pay you will need to login at :

https://secure.hostgator.com/billing/
Username: **Removed**
password: **Removed**

Sam · #2 05-13-2007, 07:16 AM

Why is it a security risk? only YOU will get the email so nobody else will see it.

gtgeorge · #3 05-13-2007, 08:48 AM

Quote:

Originally Posted by _Sam_

Why is it a security risk? only YOU will get the email so nobody else will see it.

Since when is email only something you will look at? The data is there for anyone to look at for any server it passes through.

Serra · #4 05-13-2007, 09:20 AM

Quote:

Originally Posted by gtgeorge

Since when is email only something you will look at? The data is there for anyone to look at for any server it passes through.

That is basically correct. Emails are passed open from system to system. Even if you pickup your mail with SSL, it was sent to your server open.

In the past, sending plain text passwords was a very large problem because hackers would use sniffers to watch for traffic with passwords, credit card, ssns and that type of stuff.

Now days, sniffers are not nearly the problem they were because of the volume of traffic. Sniffers produce so much volume that its really impossible to use them effectively any more, unless the hacker is targeting a specific source/destination. The majority of hackers are now using keyloggers and trojans, not sniffers.

IMHO, sending passwords in email is not the problem it was years ago. I can't remember the last time I head of a system being exploited via a sniffer. I routinely send emails with passwords and don't think a thing about it, its not secure, but its safe enough for passwords. I don't think its safe enough for credit card numbers, because of their format, they are still very easy to sniff and profitable when found.

Also, I suspect that if the billing system was ever exploited, they would stop sending passwords, but as that doesn't seem to be happening, it does seem to bear out that it is safe enough.

***GatorDaveC*** · #5 05-13-2007, 03:18 PM

Hello,
We have changed the billing system to only send the password when you receive your welcome e-mail. You should not see the password in new invoices now.

DarkSorrow · #6 05-14-2007, 03:16 AM

Thanks