Over the last few months, our client area has been experiencing odd caching issues which proved to be a problem to pinpoint.
Numerous fixes have been implemented with the assistance of WHMCS staff, however, none seemed to persist.
These fixes were not merely a cache flush and call it a day.
Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.
Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.
I would like to use this opportunity to notify all clients that access to their account or VPS was impossible.
Upon replication, data found to be leaked were:
No alteration to account details would have been possible. There has been no breach to our servers nor are client accounts accessable.
- Services rendered
- Ticket status and heading
- email address
- Name and address
It was also observed that the leak only took place under 2 conditions while the module tried to load:
Client did not log out Till this day, not one of our clients have recieved spam as a consequence of signing up with HostDoc. We do not sell client details or disclose them to third parties.
- Client was still logged in
It is unfortunate that this issue was so problematic pinpointing and addressing. I would like to thank clients who have been patient with us while we have tried to locate and rectify the root cause and apologise for any data that may have got out.
HostDoc is far from a scam operation and has jumped through hurdles to prove this over the last few years. One thing you can be sure of is that despite the time a resolution has taken to be found, security has always and will continue to remain one of our top priorities.
A further statement will be released in a few months once we have been able to monitor the client area adequately and be sure there are no further instances of this occuring.
As of now, we cannot replicate the data leak.
There has been a dramatic increase in traffic to our client area over the last few days with no sign of the issue reoccuring despite deliberate attempts to recreate.
Once again, please accept our sincerest apology for any and all data leaked during this time. It is not what you (our clients) would expect and it is far from the level of service we aim to deliver.
HostDoc Hosting Team.