Internet service provider Afrihost says it has solved a massive security flaw that left the ADSL credentials of every single user vulnerable. However, a Durban software expert disagrees.

Software and security expert Taylor Gibb recently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.

An asymmetric digital subscriber line, or ADSL, allows for the fast transfer of data commonly used in households to access the internet

Afrihost, however, told Fin24 on Monday that the ADSL credentials had been encrypted.
Representatives decrypt passwords and usernames before giving details to their customers.

“We have had this issue on our agenda to be addressed. What Taylor did was fast-track the process of resolving it,” General Manager of Afrihost, Artur da Silva, told Fin24.

Da Silva added that customers would no longer be able to receive their information over the phone. However, representatives would be able to assist in changing ADSL credentials and information.

Gibb had argued that allowing support staff to decrypt credentials at will was not safe, as they could write them down, go home and share them with a friend, for example.

“All that data is now at risk since it was so easily accessible. If a dump of Afrihost user ADSL credentials had to be leaked, user details are at risk of being stolen and if someone else had to use another user’s ADSL credentials they could for example get 40 Mbps of internet speed for free,” he told Fin24.

Gibb, a Microsoft Regional Director, the CEO at Developer Hut and a senior software development engineer at Derivco, alerted Afrihost to the issue in a Facebook post on Monday.

He said he had been banned from the Afrihost network two years ago, but had managed to circumvent the ban and expose the security vulnerability.

“Afrihost admitted that they knew about storing usernames and passwords in plain text for years and its on their backlog to fix. They called me to tell me this at 19:00 on the evening that I made the announcement. I have tried to contact the guy who called me, but all he says is that Afrihost refuses to discuss their security policies.

“Today I log on only to find they have hidden the password control box from the UI (user interface). This does not constitute encrypting personally identifiable information and still leaves your information at risk. They haven’t encrypted anything as it would require all users to reset their password,” Gibb said in his Facebook post on Monday.

Gibb said since the support staff have had access to this information and could have shared it, this data is now at risk and advised that Afrihost users should change these credentials especially when using them on other websites. — Fin 24