1

Security Alert: MORE Security Problems With Zircon Web Design

Zircon Web Design customer was blacklisted after site was hacked. causing a full-page warning for site visitors

This is a follow-up to the post we wrote back in December of 2016, titled “Security Alert: Zircon Web Design Inc. (Zircon Web Design & Hosting)“.

If you are a Zircon customer it’s important to read this, as the problems with Zircon keep getting worse. Zircon Web Design Inc, based out of Paradise, Newfoundland, was also unwilling to refund a customer that had serious problems with their website, despite the site being hacked numerous times due to poor coding.

In the first post we wrote about Zircon we informed you about a serious flaw that was found in many Zircon-built websites. However since that original post we have had the opportunity to thoroughly review a website that was built by Zircon Web Design, and have some concerning news to report to you.

The original CKFinder vulnerability that was reported back in December was caused by not properly securing a file upload utility that Zircon had used on over 80 websites. Since Zircon was not aware of this vulnerability the same code was copied to each new site that was built by Zircon, thereby causing each new site that was built to be vulnerable as well.

However, the problems highlighted below show much more serious issues. The issues listed below show that Zircon really does not understand website security, and are most likely building websites that they are not qualified to build, thereby putting customers at risk.

Background

In this case the website in question was a classified advertising style website. Website visitors could post a free listing on the website, and could pay to bump their post to the top of the listings or to highlight their ad as a “featured ad” of sorts. The website was meant to generate revenue for the business owner through ad sales.

The owner of this website switched from Zircon Web Design to TiVaHost Web Hosting to host this website, along with another business website they have. Over the first few months with TiVaHost the customer had contacted us a number of times about issues on their website. Each time we looked into the problem, we found that it was directly caused by the insecure way that Zircon has built the website.

In this post we make some references to OWASP. The Open Web Application Security Project (OWASP) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. Every few years they publish a list of “Top Ten most Critical Web Application Security Risks“.

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The most recent list can be found at https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf. Zircon has built the website in question with 8 of the top 10 vulnerabilities built-in. This is terrible in terms of website security, as a past Zircon customer has found out the hard way.

SQL Injection Attacks

SQL injection is a code injection technique in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). A SLQ injection attack can allow an attacker to manipulate, view, and delete data from the database.

The cause of SQL injection attacks is not properly validating data that is entered by a website visitor before using it in your application. The website we reviewed did no server-side validation at all. Data that was entered by a website visitor was used as-is.

The image shown below shows a sample of code taken from the Zircon-built website. It shows that the values entered by the user are taken (shown in orange), without any validation, and then used directly in an SQL query (shown in red). This could have serious consequences for the site owner.

The tests we performed on this website allowed us to log in as any user, so we were able to view the user’s profile details without needing to know their password. This allowed us to view the user’s name, address, phone number, and password.

Injection attacks” are listed as #1 on the OWASP list of “Top Ten most Critical Web Application Security Risks“.

Cisco also has a great article on SQL injection attacks here: http://www.cisco.com/c/en/us/about/security-center/sql-injection.html. In it they say:

A SQL injection attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks.

Since an SQL injection attack can allow an attacker to steal, modify, add, and delete data from a website this is a serious vulnerability.

SQL injection attacks are very easy to prevent. It appears as though Zircon Web Design is not aware of these types of attacks, how they work, or how to build a website that is secure from them.

Plain-Text Passwords

This vulnerability refers to the storing of account passwords in human-readable form in the database, rather than the passwords being encrypted.

There is a paper out of the University of Texas that explains all of the issues surrounding plain-text passwords that you can find here: https://www.utdallas.edu/~zxl111930/file/ISPEC15.pdf

The website we reviewed stored passwords in plain-text in the database. This means that anyone with access to the database could easily see the passwords of the users that had registered on this website. Remember, as mentioned previously, this site was also vulnerable to SQL injection attacks. SQL injection attacks combined with plain-text passwords in the database greatly increases the chance of an attacker gaining access to the database, and all of the passwords stored within it.

Sensitive Data Exposure” is also #6 on the OWASP list of “Top Ten most Critical Web Application Security Risks“.

Since people often re-use the same password for many different services, storing them unencrypted and exposed to hackers through SQL injection attacks is considered a serious vulnerability.

Trusting Client-Side Data for Authentication Purposes

Under this category we’re combining “Insecure JavaScript Redirects” and “Relying on JavaScript for Validation“.

The website that Zircon Web Design built for this customer relied on JavaScript redirects to redirect unauthenticated users to the login page of the website. JavaScript can be disabled by the end-user, and is often disabled by people with malicious intent. In the case of this website if a user visited a page that was supposed to be protected by the login system, with JavaScript turned off, they were not redirected to the login page, but instead were shown the protected content, without being authenticated. It should NEVER be possible to access protected content without needing to login or authenticate first.

The image above shows the code responsible for redirecting users that are not logged in. With JavaScript disabled the user would not be redirected at all. This is a very poor, and insecure, way of building a login system.

This is a very serious issue, and a hacker actually used this to gain unauthorized access to this website.

Also, since Google does not use JavaScript when it crawls the web they were also able to see content that was supposed to be password-protected, as such there was information shown in the Google Search results that was not supposed to be visible without first logging in to the site.

Zircon also relied on JavaScript to validate user-input, but failed to validate the data on the server-side. One of the golden rules of website security is to never trust user input. Again, because JavaScript can be disabled and manipulated by the end-user, this offers no protection at all. In fact, a hacker was able to compromise this website in part as a result of this vulnerability.

There is a note on the Microsoft Developer Network website, found here https://msdn.microsoft.com/en-us/library/ee798441(v=cs.20).aspx, that says:

Remember the two golden rules: never trust user input, and always check data as it moves from an untrusted to a trusted domain“.

Zircon failed to follow either of those rules.

You can also find an article from the Information and Privacy Department at Florida State University here: http://security.fsu.edu/sites/g/files/imported/storage/original/application/972921fa3fd7e1e16b8c22ee42118142.pdf. Again, it highlights the importance of not trusting user input, and doing server-side validation.

Broken authentication and session management” is listed as #2, and “missing function-level access control” is #7, on the OWASP list of “Top Ten most Critical Web Application Security Risks“.

Cross Site Scripting & Cross-Site Request Forgery

Cross Site Scripting enables attackers to inject scripts into web pages viewed by other site visitors. Basically, a cross site scripting attack allows a hacker to place code on a website, that will be run when anyone else visits that page.

Below is a screenshot of the part of the listing form that a user would normally enter a “description” in on the website we reviewed. Notice how I have entered some script code instead. Since the form is not properly validated when submitted, I was able to save my listing with this code in the description box.

The website in question allowed a website user to enter a “description” with each listing. The information entered into this field was not validated at all on the server, meaning an attacker could add malicious code to a listing on the site, and anyone that viewed that listing would have that code run by their browser.

When we tested this we were successfully able to add code to the listing “description”, as shown in the image above, and it was run when viewed by another site visitor. The image below shows that the script was actually run when the listing was viewed.

This allows anyone at all to insert code into pages that would be run by anyone viewing a listing, which could lead to any number of security concerns. One such concern is that an attacker could redirect all viewers of a malicious listing to a website that installs malware on their computer. It also could send your data to a server under the control of someone with malicious intent.

Since this vulnerability allows an attacker to run malicious code on a user’s computer, this can also lead to Cross-Site Request Forgery attacks as well. You can find more about these types of attacks here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

Cross site scripting” is listed as #3, and “Cross-site request forgeries” are #8, on the OWASP list of “Top Ten most Critical Web Application Security Risks“.

OWASP also has an article on Cross Site Scripting here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

And Securi has an article on the subject here: https://blog.sucuri.net/2016/04/what-is-an-xss-vulnerability.html

CKFinder Vulnerability

We think one of the best examples that shows Zircon is not qualified to do this type of work was the original CKFinder vulnerability we discovered back in December, that affected over 80 websites that Zircon had built. So the vulnerabilities we found in the website we reviewed this time were not just a simple oversight. This site was built to the same standard as many other websites Zircon has developed, all of which were vulnerable, and some of which have already been compromised. Simply put, it’s just a continuation of the pattern we have seen in terms of Zircon Web Design and the poor, insecure, quality of their work.

Below is an example of one of the files that was uploaded using the original CKFinder vulnerability we discovered. This image was uploaded to the website of an elementary school.

In this case Zircon ignored not only the warning note on the CKFinder website, but also the warning note contained in the CKFinder configuration file that specifically said NOT to use CKFinder the way Zircon has used it, or that it would leave customers vulnerable to attack. This was an egregious oversight on Zircon’s part, and again shows a lack of web security understanding.

Our original write-up of this vulnerability can be found in our post “Security Alert: Zircon Web Design Inc. (Zircon Web Design & Hosting)“.

Security misconfiguration” is also #5, and “Using components with known vulnerabilities” is #9, on the OWASP list of “Top Ten most Critical Web Application Security Risks“.

Netflix Scam

Because of the vulnerabilities that Zircon Web Design built in to this customer’s website, a malicious attacker was able to gain access to the website and set up a phishing scam. A phishing scam is one where an attacker tries to trick site visitors into thinking they are on a different website, in an effort to steal their user information or login credentials. The best example of phishing scams would be the fake online baking scams many people receive in their e-mail. In those cases they try to trick you into thinking the e-mail came from your bank, so you’ll click a link to their malicious site. This site will be designed to look exactly like your actual bank’s website, and if you enter your login details the information is sent to the attackers, who then have access to your account.

In this case the phishing scam consisted of two parts. The first was a Netflix login screen, which you can see above, that tricked site visitors into entering their Netflix username and password, which would be sent to the attackers. Once a user entered their login details they received a message that there was an error, and that they needed to verify their payment details. If payment details were entered, again this was sent to the attackers. The image below shows the e-mail addresses that were found in the malicious Netflix files.

As the hosting provider for this website at the time we actually received a notification via e-mail from an agent of Netflix, informing us about the scam, and asking us to take the pages down. You can see this notification in the image below.

Blacklisting and Reputation

As a result of the Netflix scam mentioned above the website was blacklisted by a number of web browsers, and security software vendors. Visitors attempting to access the website during this time were presented with a red full-screen warning informing them that the website was “deceptive”. You can see this warning screen above. There’s no need to explain why this is very bad for any website owner.

Having a full-page, red, warning page informing site visitors that a website was “deceptive” is the last thing a website owner would want. Statistics for the website show that during the period it was blacklisted their online traffic dropped by close to 50%.

As you can see, from the information we have available, it does appear as though the blacklisting did cause a significant drop in site visitors for March. This is not a good thing for any business, as it can harm your online reputation.

List of Compromised Websites

Zircon’s work speaks for itself. As stated above, over 80 websites they built were vulnerable to attacks, and we recently discovered another Zircon website that had been hacked, the website of Toya International. To-date we know that the following Zircon websites have actually been compromised.

  • MK Staple
  • MadPadNL
  • Brighter Futures
  • Beachy Cove Elementary
  • NL Association of Occupational Therapists

The sites above were reported in our original post back in December. However, we also came across a Zircon-built site we previously were not aware of being hacked, Toya International. As you can see in the image below, there are several indications that this site had been hacked.

This is a clear indication of the quality of the work that Zircon considers acceptable for paying customers.

Other Signs of Trouble

On http://www.justanswer.com/email/a8aex-using-windows-live-number-years.html there is a discussion that was started by a past Zircon customer indicating that they had left Zircon “for a number of reasons“.

In this Yelp review from 2011 a person says:

“One of the worst web design firms I have ever worked with. The owner is deceptive & completely unethical. She promised us a Joomla or other open- source CMS website – and delivered the most horrible “proprietary” CMS I have ever seen – and one that she clearly didn’t know how to use or develop. After 5 months of specific, probing questions about the CMS she became rude & abusive and demanded more money to fix the problem. Do not use this woman!”

https://www.yelp.ca/biz/zircon-web-design-paradise

The following are also quotes from past Zircon Web Design customers:

“I will tell you that Zircon (Sandra O’Leary) is really difficult to deal with. This was part of the problem moving last time as well. She made it very difficult.”

“We have emails saved from me and my other staff member about Zircon doing a half-assed job. We have put so much time and effort into this business that was set up for failure.”

Summary

Out of the ten items listed on the OWASP list of “Top Ten most Critical Web Application Security Risks“, Zircon Web Design has made 8 of them on the site we reviewed. In our opinion the owner of Zircon Web Design, Sandra O’Leary, seems blissfully unaware that website security is even a “thing”. It’s impossible to have this many vulnerabilities, in this many websites, with so many of them compromised, without admitting that something is wrong with the quality of the work being done by Zircon!

The owner of the website we have reviewed has had significant trouble with this website. It has been compromised a number of times, has had phishing scams running from the site, and was blacklisted. When this customer attempted to negotiate a refund the owner of Zircon Web Design, Sandra O’Leary, refused to even discuss the matter in a professional manner, and no refund was ever offered.

We believe that building websites of such poor quality, and refusing to refund customers that have serious issues, is tantamount to scamming people out of their hard-earned money. If Zircon’s customers need to work hard for their money, why should Zircon be allowed to slap together a website of such poor quality and think that is acceptable for them to pay for? Zircon should work hard for that money too!

Imagine you bought a brand new car, and while you were driving it home the wheels fell off, the steering wheel came loose, and the windows fell out, and when you returned to the dealership they just locked the door on you and refused to address the problem satisfactorily? That’s essentially the position that Zircon Web Design has put this customer in. They were left paying for a website that has never worked!

This information has been provided as a public advisory so that you can make an informed decision about who you do business with. This information may help someone avoid all of the problems and trouble that this customer, and other Zircon customers, have had to deal with. In our opinion saying that Zircon Web Design, and Sandra O’Leary, are unprofessional is a major understatement. Save yourself the annoyance, aggravation, and irritation and find a quality developer for your website needs.

Don’t forget to read our original post on this matter if you haven’t read it already. There is some interesting information in that post as well.

TiVaHost