Security Alert: Zircon Web Design Inc. (Zircon Web Design & Hosting)


Vulnerability Type: Insecure file uploads
Vulnerability Summary: An insecure installation of CKFinder can allow an attacker to gain full control of your website
Threat Severity: Severe
Well-Known Threat: Yes – Widely publicized online
Has Been Exploited: Yes – Zircon customers have already been hacked
Vulnerability Reported: Yes – Reported to developer/host, and affected users on December 10, 2016
Vulnerability Patched: Yes – On December 30, 2016, the vulnerable files were removed from the affected sites

* UPDATE: Since this post was written we’ve discovered many other issues with Zircon-built websites. The new post is titled “Security Alert: MORE Security Problems With Zircon Web Design“. *

At TiVaHost we take the security of customer data very seriously. We have helped a number of customers clean up their websites after they have been hacked. Sometimes it takes hours of work to clean up an infected account, when five minutes of work could have prevented the problem from occurring at all. Anytime we become aware of a security issue that could affect a person’s website, we inform them of the problem, whether they are a TiVaHost customer or not. If it’s a larger issue, affecting several customers of the same provider, we will let the provider know about the problem as well, so that the vulnerabilities can be patched.

However, sometimes we run into cases where we feel that a provider is not even following the most basic of security protocols, leaving customers vulnerable to online hacking attacks. When it becomes clear to us that a specific provider does not understand what it takes to keep customer data safe, and customer accounts are actually being compromised, we feel it is our duty to let people know. When a person or business chooses a developer to build their website, and hosting provider to host it, they are trusting that their data is safe, and that the developer and host know how to keep it safe.

When this trust is breached, and accounts are being hacked, those in harm’s way have a right to know.

Recently we have run into such a case with Zircon Web Design Inc., based in Paradise, Newfoundland. In this case, Zircon Web Design Inc. is the developer, and is also acting as the hosting provider. We first reported these vulnerabilities to Zircon on December 10, 2016. Now that sufficient time has passed to allow Zircon to patch this flaw, and they have not, we are releasing the details of this vulnerability to the public in an effort to get Zircon to properly patch these sites.

Basic security principles were not followed by Zircon during the development of customer websites, and customers of Zircon were vulnerable to attack for several years, and some of them were actually hacked and lost data. One Zircon customer had their website content replaced with Chinese pornography. Another Zircon Hosting customer was also used in a hacking tutorial video posted to YouTube back in 2015, in which a hacker is showing how easy it is to find vulnerable websites, and hack into them, and uses a Zircon Web Design customer as an example in their video. Other evidence of attacks against Zircon Web Design customers was also found online. Much of this information is contained in the report below.

A brief overview

We were approached by a Zircon customer, who wanted to switch their website from Zircon Web Design Inc. to TiVaHost. They informed us that their website had been hacked around the middle of November 2016 and Chinese pornography was added to their website. The website was restored by Zircon, but data was lost in the process.

Once we transferred the website files to our server, and ran a security scan, we were alerted to some malicious files that were still present on the site.

The customer had asked us to investigate the cause of the hack, and see if we could figure out how the malicious files were placed on the server.

We were able to find a vulnerability in the website very quickly, and the flaw we found was a major security concern. The problem was immediately reported to Zircon but, as of the publishing of this advisory, the flaw remains un-patched.

What happens if a site is hacked? Why is this a big deal?

When a website is hacked, the attacker can use the account and website for any number of malicious activities, including:

  • Replacing the website with a website of their own, or redirecting website visitors to a different website.
  • Displaying pornographic material on the website.
  • The hosting of online banking scams, to defraud people of their banking information.
  • Deleting or defacing the website as an act of vandalism.
  • The sending of spam, which is often adult/pornographic in nature, under the customer’s name/e-mail addresses. This happens very often with hacked accounts.
  • Hosting malware on the website, that could infect the computers of people visiting the website.
  • Anything else they want to do, as they have full access to the account.

We have seen all of these things happen to people who did not properly secure their websites.

How we discovered the vulnerability

We received a new registration from a Zircon Web Design customer that indicated they wished to transfer their existing website from Zircon to TiVaHost. The customer also indicated that their website was hacked in November 2016, that Chinese pornography was added to their website, and that some data was lost when Zircon restored the site from an older backup. We were asked to investigate to see if we could determine the cause of the hack.

We transferred the website files from the Zircon/InMotion server to the TiVaHost server, as we have done many times before when migrating other clients. We ran a security scan on the website files, and were alerted to several suspicious files.

Upon reviewing the suspicious files, we discovered that they were files from the November 2016 hack, that were not properly removed or cleaned-up after the hack was reported to Zircon Web Design. So approximately a month after Zircon was alerted to the attack, malicious files remained in the customer’s account. It appears that there is no security software running on the server to detect malicious files, or if there is, the notifications from this software were not properly acted upon by Zircon.

The malicious files that were left behind were part of an exploit that allowed the attacker to have full access to the customer’s account. An attacker could upload, download, and modify any files they wished.

These malicious files also had functions listed like “Mass Deface”, “Mass Delete”, “CPanel Crack”, “SMTP (E-Mail) Grabber”, “Fake Root”, and more. These are all functions that could be used to delete, deface, or otherwise attack a website, and it was not removed by Zircon after being notified of the hack against this customer’s website.

The image below shows what was left on the customer’s account, a month after reporting to Zircon that they were hacked.

So how did these malicious files get there, on the customer’s website? We were determined to find out.

Website was built with a major security flaw

We started to review the rest of the files in the customer’s account, to see if we could find any sort of vulnerability or exploit that could have allowed the malicious files to be uploaded to the server. Of interest was a utility called CKFinder, that was included with the website when it was built by Sandra O’Leary of Zircon Web Design.

When we checked out this tool we realized that it was NOT properly secured, and allowed anyone on the internet to upload files to the customer’s website.

There is a known vulnerability with CKFinder, that has been well-known online for several years now, that could allow a hacker to gain access to your hosting account if CKFinder is not properly secured.

There are quite a few videos, and websites, showing people how to FIND, and EXPLOIT websites that use CKFinder. So having an insecure installation of CKFinder on your website is a major security concern. In this particular case, not only did we find an insecure copy of CKFinder, we actually found three separate copies of CKFinder on this customer’s website, all three of which had the same vulnerability.

Realizing that this was a major security issue, we decided to check the websites of other Zircon customers to see if they too were vulnerable to this same problem. We found that over 80 websites built by Sandra O’Leary of Zircon Web Design suffered from the same vulnerability. They all had insecure copies of CKFinder!

We reported what we found to Zircon, and the affected customers

Realizing that over 80 local businesses, schools, towns, and other groups, were at a very high risk for being hacked, we sent out a message to Zircon to let them know that we found malicious files, and that CKFinder was not properly secured which was a major security concern.

As this was a serious situation, we also decided to send a security advisory directly to the affected Zircon Web Design customers that we identified as being vulnerable. As they are the ones with the most to lose, we felt it the responsible thing to do to notify those affected of what we had found, so they could take the necessary steps to secure the websites, backup files, etc.

We are of the opinion that Zircon did not take our notification seriously, or did not realize the seriousness of the situation we uncovered. Approximately 24 hours after we first reported the issue, the vulnerability remain unpatched.

YouTube hacker shown hacking Zircon customer’s website in 2015

As we discussed this issue internally, we decided to check YouTube to see if there was a video that explained how a website could be exploited by using an insecure installation of CKFinder. We figured that a video would be a good way to explain to those affected by the vulnerability why failing to secure CKFinder is a major security concern. There were a number of videos that turned up in the search results, so we just randomly picked one to watch.

A couple of minutes into the video, we looked at each other in amazement.

Not only did we find a video that demonstrated how easy it is to find, and exploit, websites with this vulnerability, but in the video the hacker is actually hacking into the website of a Zircon Web Design customer, Brighter Futures, a local non-profit organization!

Brighter Futures is not the customer we were originally doing work for, so this is now a second Zircon customer we can confirm has been hacked. The video was also uploaded to YouTube in November 2015, so we know that the site was vulnerable for at least a year.

So now we had solid, undeniable, proof that this vulnerability that Zircon built into these websites was actually being exploited by hackers!

Oftentimes when a website is vulnerable, or has been hacked, the hackers share this information around the internet. So knowing that, we decided to do some more online searching. We did find references of Brighter Futures being hacked on a number of websites. Those websites do not appear to be the most trustworthy, so we won’t share those links here out of an abundance of caution.

However, we did find a post on Facebook about it from back in 2014.

So now we’ve established that this website was vulnerable for at least a couple of years.

The video also revealed some other information, indicating that there had been previous hacks into the website.

In the YouTube video you can see a list of files and folders that had existed on the account of Brighter Futures. As you can see in the screenshot above, there are references to “Anonymous“, “Free Palestine & Gaza“, and the “Mexican Electronic Army” to name a few. These are most likely files that were placed on the site by hackers.

We were also able to determine that there were files uploaded to the site by a hacker back in 2013, which can be seen in the screenshot below, so now we’ve established that Brighter Futures has been vulnerable, and hacked, for at least three years.

There was no disputing the insecurity of the Zircon-built websites at this point. Along with all of the data we had collected, there was also video proof, and posts on a number of websites indicating that Brighter Futures had been hacked. The same vulnerability exists in over 80 websites built by Sandra O’Leary of Zircon Web Design, so what happened to Brighter Futures could happen to other Zircon customers as well.

In fact, when we repeated the advanced Google search shown in the YouTube video the website of the Newfoundland and Labrador Association of Occupational Therapists was on the first page of the results, making them an easy target as well.

We reached out to Brighter Futures, and alerted other affected Zircon customers

After finding evidence that Brighter Futures was known to be vulnerable, and had already been hacked a number of times, we sent them a message directly informing them of the YouTube video we had found showing their website being hacked. We did not hear back from Brighter Futures. Their website is still vulnerable.

We also sent a follow-up advisory to the affected Zircon customers, to let them know that the vulnerability in their websites was already being exploited on the website of other Zircon customers, and this information was being shared online.

We did receive two or three e-mails from people asking us to no longer contact them, which is fine. We were reaching out to them to let them know about a major vulnerability on their websites, that hackers were already using against Zircon customers, and they seemed to dismiss the concerns.

However, one request in particular stood out for us. We received a message from Upper Gullies Elementary School stating they did not want to receive any further security advisories from us. This was despite their website being vulnerable, and still remaining as-of-yet unpatched and vulnerable to being hacked.

As a public school, especially an elementary school, they should be quick to react to security concerns related to their website. One Zircon customer already had pornography placed on their site by hackers, and this would be a very embarrassing situation for a public school to find itself in.

Upper Gullies Elementary School was not the only public institution that we found to be vulnerable. There were several others, such as:

  • Beachy Cove Elementary School
  • Cape St. Francis Elementary School
  • Hazelwood Elementary School
  • St. Theresa’s School
  • Town of Kippens
  • Town of Clarke’s Beach

These sites are still vulnerable.

We have found files on the website of Beachy Cove Elementary School that are most likely files that were placed there without the school knowing. The image below was found on the Beachy Cove Elementary School website. At the time of writing it was still available here: http://www.beachycove.ca/ckfinder/userfiles/files/img.jpg

We have also found evidence that seems to suggest that someone did try to hack into the Beachy Cove website, as can be seen in the image below showing part of an encrypted script file:

We found a number of concerning files on the Beachy Cove website:

These are public institutions that should be making good decisions in the public interest. Having publicly-funded schools and towns taking a lax attitude towards online security is concerning. Especially given that we are already finding unauthorized files on their sites.

There were other private businesses/groups that had unauthorized files on their system, including the NL Association of Occupational Therapists, which appear to have had some files uploaded that were written in another language, with a lot of links pointing to Brazilian websites. That can be seen in this screenshot:

These websites are all still vulnerable today, despite anything Zircon may have said to the contrary.

Zircon attempted a fix, but failed to resolve the problem

We are under the impression that once Zircon was made aware of their customer being shown in a hacking demonstration video online, they realized that this issue was a concerning matter. It was at that time that Zircon attempted to patch the vulnerability.

However, the steps taken by Zircon Web Design did absolutely nothing to secure the websites of those affected, it merely tried to hide the problem. The fix applied by Zircon is the digital equivalent of sweeping the dirt under the rug. The dirt is still there, you just can’t see it under the rug. Just the same as the original vulnerability still exists in these websites, you just can’t see it behind the blank white page that Zircon Web Design has applied as a fix.

I reached out to the developers of CKFinder, to ask if this blank screen implemented by Zircon would be enough to secure these sites. Here is my question to the developer, and their reply:

With a simple browser add-on anyone can see right through that blank white page, revealing the CKFinder, and allowing them to again exploit the vulnerability in the tool to take control of the website.

(Due to larger screen size, this video is better watched on a computer in high quality!)

The fact that these websites are still vulnerable was confirmed by CBC News, through an independent expert. (There is a link to the CBC article at the end of this post.)


Zircon does not seem to understand website security at all

Zircon built over 80 websites, including websites for schools and local towns, with a major vulnerability in them that could easily allow hackers to take control of the websites. Zircon customers were being hacked for years, and Zircon had no idea. This puts the data of customers at a major risk. As one Zircon Web Design customer learned the hard way, sometimes when a hacker deletes your data, you cannot get it back. This customer lost content from her website and did not have a backup copy, so the content was lost, in addition to pornography being shown on her website.

The “fix” Zircon applied, that they believe has fixed this issue, leaves customers just as vulnerable as when they started. It simply does nothing to patch the vulnerability. If Sandra O’Leary actually understood web security she would have had these websites patched by now. It has now been over eleven days since we reported the issue to her, and the websites are still vulnerable to hacking.

It is also important to note that Zircon built the vulnerable websites using CKFinder, and didn’t even follow the instructions provided by the developers of CKFinder to properly secure it.

On the CKFinder website, http://docs.cksource.com/CKFinder_2.x/Developers_Guide/PHP/Configuration/Quick_Start, it clearly says:

“Without authentication support anonymous users would be able to use CKFinder on your website, including uploading and deleting files from your server.”

They also provide instructions on how to properly use, and secure, CKFinder. This information, that came directly from the CKFinder developers, was ignored by Sandra when she built over 80 of these websites! As a result Zircon customers were, and still are, at risk for hacking, and some customers have lost data and have had unauthorized files uploaded to their websites. It is very concerning to see a developer make such obvious mistakes, and show a lack of understanding of web security, leaving so many websites vulnerable for so long after being notified of the problem.

Media coverage

These issues have now been covered by the CBC, and you can read the article here: http://www.cbc.ca/news/canada/newfoundland-labrador/tivahost-zircon-web-design-hacking-1.3906672

In the article Sandra O’Leary, owner of Zircon Web Design, again downplays the severity of this vulnerability. Even when faced with mounting evidence showing that her customers are vulnerable, and have been hacked, she downplays the importance of the matter by brushing it off as aggressive marketing. Sandra will still not accept the fact that the websites she has built are still vulnerable, despite our findings being confirmed by an independent security expert, with years of experience in the field, and this places the websites of over 80 Zircon customers in jeopardy.

Better safe than sorry

At this point, given all of the information we have uncovered, the lack of knowledge shown by Zircon Web Design, and their inability to keep customer data secure, we would advise against using Zircon to host anything important or critical to your business, such as a business website or e-mail. Proper security protocols are not being followed by Zircon, and it’s just not worth the risk to your website, or your reputation. The evidence seems to point to a case where Zircon customers are having people access their websites without authorization, and Zircon is unable to implement a fix to stop them.