amuck-landowner

WHMCS - finally a positive move

lbft

New Member
Haha, sounds more like they want to have him arrested. Lure him into providing contact details or meeting in person.
 
Last edited by a moderator:

matt[scrdspd]

SecuredSpeed
Verified Provider
Haha, sounds more like they want to have him arrested. Lure him into providing contact details or meeting in person.
That was my first initial thought as well. However, It makes on wonder why have they not chosen and hired a company/team to do this already. One would have thought this would have happened months (if not weeks) ago by now.
 

lifetalk

New Member
Verified Provider
So they're reaching out to one guy instead of a reputable audit firm? Sounds very suspicious, and that would be to say the least.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Uh, no lol. They're reaching out to the person who has been causing them so much (warranted) grief. It makes perfect sense.
 

drmike

100% Tier-1 Gogent
Only way to approach this as the person with the exploits is with a real contract up front that clearly says this isn't a setup and they won't attempt prosecution or civil action.

Going naively to help them --- in pursuit of money --- usually ends up with legal action.

They need to farm the project out to a real firm and get to improving the codebase.
 

RiotSecurity

New Member
I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.
 

WebSearchingPro

VPS Peddler
Verified Provider
I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.
Ahh, I assume its because WHMCS, uses WHMCS. They are very high priority for these types of things. IIRC they use cloudflare now, I assume for the WAF features. 

However, I am glad to see they are acknowledging their issue. Though, it is unfortunate it has taken them this long to realize that there is a problem. Many, many companies were hurt by automated whmcs exploit scripts, something in the several thousands of whmcs installations have hidden accounts
 

RiotSecurity

New Member
Alright, so I have to touch on a few things here, which they claim a "positive move" towards security.

As per this image here:

aaron-email.png


"Meeting face to face"

More like lawsuit face to face.

"Matt (CEO)"

Let's just stop right there, I've sent in countless bug reports, hell even talked to Matt via skype, he really doesn't give a damn about security.

So let's look at what that email really says:

"Is there any way I could lie to you to get your address?

I really want to sent you a lawsuit.

Matt (CEO) and I are eally pissed off right now.

We will be your worse nightmare if you're this stupid

--

Aaron

"

I couldn't honestly stop laughing for a while. In all seriousness, if they do get a security audit done, then I will applaud them.
 
Last edited by a moderator:

wlanboy

Content Contributer
However, I am glad to see they are acknowledging their issue. Though, it is unfortunate it has taken them this long to realize that there is a problem. Many, many companies were hurt by automated whmcs exploit scripts.
I was wondering why noone was using the exploits against WHMCS.

Maybe they are now seeing that they have to do something.
 

lifetalk

New Member
Verified Provider
Uh, no lol. They're reaching out to the person who has been causing them so much (warranted) grief. It makes perfect sense.
Exactly, and so therefore, very suspicious. It would be less suspicious if Aaron didn't word that email the way he did - 'can fly anywhere in the world' and 'we are friendly and good people'. Lol. I mean, c'mon, who writes a proposal email that way?
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Because the tin-foil-hat donning people in this arena react just as you did.
 
Top
amuck-landowner