STE WILLIAMS

Namecheap has admitted it let customers set up and control subdomains for domain names belonging to other customers, allowing miscreants to distribute malware from strangers’ websites.

These hijacked sites were subsequently flagged up as malicious by Google’s search engine, blocking netizens from visiting them, and piling further misery on webmasters.

Namecheap customer Kirk McElhearn found this out to his cost when he received an alert from Google that three subdomains on his website were hosting and serving out spammy content or malicious software. This was news to him since his hosting administration tool Cpanel was showing no such subdomains existed.

When McElhearn turned to ICANN-accredited registrar Namecheap for help, he got a rather disturbing response. The technical support staff at the US-based biz told him that the issue was down to a “misconfiguration on our nameservers.”

Essentially, some scumbag with a Namecheap account had abused a vulnerability in Namecheap’s DNS setup to tack extra subdomains onto McElhearn’s kirkville.com website, point said subdomains at a web server, and use them to dish out naughty stuff.

“In short, it was another user that added the subdomains to their hosting account,” he was told.

To make matters worse, the subdomains were outside his control. Also, while his legit site uses encrypted HTTPS by default, visitors to the new subdomain were redirected to standard HTTP pages. Ultimately, the subdomains were exploiting McElhearn’s website’s search rankings to lure in netizens.

“If you get a lot of traffic, the bogus pages set up on the sub-domain may inherit some of your website’s prominence, allowing malicious users to serve spam or malware, or to make money by displaying Google ads,” McElhearn explained.

“Interestingly, even though Google flagged these pages as ‘hacked content’ they were still serving Google ads; as if Google really doesn’t care how they make their money.”

After the subdomains were removed, and McElhearn detailed his experiences in a report on Monday, noted infosec pundit Graham Cluley took the registrar to task on Twitter. Namecheap’s response was not what you’d call reassuring:

The issue should be completely resolved very soon. Just an update: https://t.co/K72Dz8mAfI – Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.

— Namecheap.com (@Namecheap) February 5, 2018

“The issue should be completely resolved very soon,” it said on Twitter. “Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.”

The biz said it is conducting an audit, and will contact any of its customers who have been affected by its security cockup. Judging from the language used, the issue potentially affected Namecheap’s entire customer base, it’s just that miscreants only got round to targeting a select bunch, and the registrar is now scrambling to find out who got hit.

“They certainly haven’t contacted me about it, outside of the tweet which isn’t what you’d call official” McElhearn told The Register. “And Teeny tiny is not a useful term.”

Thankfully, the subdomains on his site turned out to just be categorized links to daily news articles. But it could have been a lot worse.

So far Namecheap isn’t responding to requests for comment, but if the company is hosting your website you may want to check that you’re not hosting anything nasty. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/07/namecheap_subdomain_security_hole/