I’m a customer of Hover for my domain name needs. However, that will be changing because I don’t believe that they take issues seriously.
The first security issue
I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the textfield. I noticed an error, and eventually crafted this url:
There’s nothing magical in that URL, however it demonstrated a real vulnerability in their code:
From that point, it could be trivial for an attacker to redirect traffic, and steal user sessions, thus being able to purchase domains with someone else’s money.
I reported this issue to them, and had an update within 3 days. They had fixed it, and that URL no longer is vulnerable.
The second security issue
In January, I was discussing Cross-Site Scripting attacks with a coworker, and was talking about the finding I had with Hover and how quickly they responded. Upon further investigation, I found that they didn’t really fix it, they just put a band-aid on it. I found the following URL was still vulnerable, but it was a little harder to exploit (onMouseOver):
This really depressed me, since I have spent my fair share of time being a developer, and I always tried to actually fixproblems, instead of just making the symptom go away. Again, I reported the issue, hoping that I’d get another quick turnaround. I asked them to reply within 30 days to indicate their intent on coordinating efforts for remediation. I waited, but I still have no response from them, and it’s been over 30 days. I still can’t believe they couldn’t even respond with a, “We’re working on it”, response.
The billing issue
I received an email from Hover about a domain name of mine expiring soon. I went into my account, and saw that the credit card was expired, so I went to update it. Unfortunately, I got this error instead:
Declined by Fraud Service
Now, I figured that it was some sort of error, and tried filling it out a couple more times, verifying my card number was correct.After-all, I was only updating the expiration date, nothing else. Unfortunately, all this resulted in were several temporary one dollar charges on my credit card.
Again, I contacted Hover and was disappointed yet again. I stated that I was trying to update my credit card details, and instead they renewed my domain for another year, and said, “it failed when you placed the order, but I was able to renew it on my end”. I was a bit upset because I hadn’t yet decided if I was going to renew through them or not yet, due to the previous security issues. I replied back that it still wasn’t helping me for my other domains that will need renewed at some point, and was given these instructions to help troubleshoot:
- Use only the first and last name, no middle initial.
- Change the phone number to numbers only, no hyphens.
Their next steps were to have me call, and give them my credit card number over the phone, and have a billing statement ready to verify every bit of information, as if I’ve never used a credit card on a website before. It was a bit insulting.
The 0-day security issue
This time, it’s a persistent Cross-Site Scripting vulnerability. Every time I navigate to my DNS management screen, I now get a dialog with my cookie. All a user had to do was add a TXT record with the following data:
They apparently do not even try to filter user-input at all. It’s quite depressing.
Hover seems to suffer from the inability to filter user-input. This has become a big problem over the last few years. There are many attacks stemming from this seemingly simple attack. I did my best, and tried reporting to them, but they seem unresponsive, and even when they are, it’s not always useful.
I will be moving my domains elsewhere. I haven’t yet decided where, and I have a bit of time, but I just don’t feel safe keeping my data stored somewhere that can’t even stop basic OWASP Top 10 vulnerabilities on their main page.