Are you telling us that WiseCP itself suffers (suffered) from the same problem, not just your website?
Currently the latest version is 1.6.3. This version was released on 23/01/2019 and there were some complementary arrangements for 1.6.2 Yi. So there’s no such thing as you specified. We will take immediate action to update our own web site.
Please, see Http://prntscr.com/medeyz
No, that’s not what we’re saying. With WISECP 1.6.2 release, this situation has been eliminated and strong security measures have been taken.
What you see is a notification text of our own web site that uses an older version.
We’ve re-activated the trial version you’re using, so you can see it yourself.
No worries, thanks for the explanation. Hopefully, @FHR will report back with any additional findings.
In all fairness sending plain text password over email is far from new in our industry. Isn’t that still the default function of WHMCS to this day? If not, it sure was for a very very long time regardless of how anyone felt about it.
Thanks for fixing it. I wonder how it could’ve happened in the first place, but the important thing is that it was fixed.
WHMCS sends a password in the “New Account Registration” email, but doesn’t actually store it in plaintext.
Fairly sure I remember someone reputable saying that SolusVM stores passwords in plaintext. So maybe that’s what you’re remembering @jarland
In fact, it was intended to allow users to easily log in at the beginning. Generally, users cannot remember the password information much. However, the password information was never stored in the database as text. It’s encrypted in all circumstances. With a special method. The system is un-encrypted the password and sending you mail after that. So unless someone hacks your email address, they’ll never reach your account.
We’ve updated it with version 1.6.2, and under no circumstances is the password information shown. The user has to keep the password in mind.
This is how WHMCS works with service passwords to this day, actually. No one likes to talk about it.
Every reversible encryption is insecure by design if I can find your private key. You absolutely do need to use one-way hashing like PBKDF2 or Bcrypt for storing passwords…
I assume you thought that passwords were clearly stored in the database as text
There never was a situation like this. The password information in your incoming email is stored in encrypted form with a special method in the database. From the very beginning to this day.
If you’re using the old version WISECP, you can check and confirm your database.
It’s technically hard to find the private key. Because part of the key is stored in an encrypted file with Iocube at the core level.
Still, he is right. There’s no need to be able to reverse encryption, so you’re better off encrypting it one-way.
I can fish that key out of memory
Easily with PHP, ioncube only helps to obfuscate and discourage.
Agreed. Consider that a feature request @sitemio
Please try this and inform us if possible.
I’m not suggesting you underestimate the Ioncube. It is the only encryption technology that is currently undecoded. Do you know anyone who can decode a ioncube file encrypted with a dynamic key?
You can be sure we’ll reconsider. Thanks.
If I find time to do that, I will. Seems like a nice exercise.
Google “cPanel nulled” or “WHMCS nulled”.
It’s their incompetence. It’s not ioncube that’s causing it.
They’re still not developing their encryption technology. Whereas it was possible to get ahead of it.
Even if Ioncube provided perfect file encryption, the data is still stored in memory.
I can dump process memory and physically find the string you are using for encryption.
You seem to imply that the encryption key is universal across all installations (stored in code). Which is great, because I can get it on my machine and then use it to decrypt databases of all installations.
This used to be like this. But nowadays the situation is more complicated.
If you could try it and get a result. Please inform.
Thanks for your time and pleasant chat.