Let us begin a preface before this by describing what SFTP and FTP actually is.
FTP stands for File transfer protocol, and, in essence, is the way that you access your core server files such as your WordPress or other CMS installation files.
SFTP is basically a more secure version, in much the same way as https is more secure than http.
Just imagine that it’s a way of logging in and viewing everything in the server. And when we say everything we mean EVERYTHING.
Through FTP you can access the database using the login credentials stored in the core installation files, and through the database, you can view account details, card details for purchases, addresses, you name it. It’s a hacker’s wet dream.
Now allow us to introduce GoDaddy, multinational, multi-million-pound hosting and domain name provider to those of you who have been living under a rock. Last year GoDaddy posted a 200million dollar revenue, so this is not a small tech firm or reseller. In fact, this is the largest domain name registrar in the world.
So, imagine our surprise, logging in to FTP this morning on a client’s site, just backing up some routine files when we realised we could access, not only our own files but every other person’s files on the same server.
How did we do this?
Not through some tech wizardry or hack based on years of experience. No. We simply clicked ‘back’.
That’s right, the little blue ‘back’ button at the top of the browser. The one that everyone can see and use.
Unfortunately, we’re unable to verify whether this is just our own account or others as we only have access to this specific GoDaddy account. However, if the system has distributed an admin level account to us then you can be damn sure that it’ll have done so to everyone else.
Either that or it’s misconfigured at its core level, in which case anyone can do it. We’re not sure which is worse.
And if you don’t believe us, here is a screenshot of the core folder; all of the below folders are accounts on this specific server. Note the nice little “r-wr-xr-x” which indicates we have full write/edit permissions to hundreds of websites.
Being the nice, upstanding individuals we are, we went straight to GoDaddy support…. who’s 24/7 chat support is apparently closed and who’s Twitter account has yet to even bother reading the message we sent. They can’t say we didn’t try and warn them.
In the meantime, we would advise anyone with a website on GoDaddy to take an immediate back up of your site. And if we’re right and this is an open door, perhaps consider your future hosting arrangements?
Our hope is that we’ve stumbled upon something by accident but our fear is that its not. Our fear is that its far worse than that.
And if we are, then the next thing you’ll see is GoDaddy appearing on this Data Breach chart.