Results 1 to 12 of 12
  1. #1

    ModernBill security flaw

    I discovered a significant security vulnerability in Modernbill. Client account passwords are available to all levels of admin users in plain-text. This means that if an admin account gets hacked or if an employee gets disgruntled, passwords from all accounts can be collected and subject to a wide range of fraud activities. This also means that, considering that many people use the same passwords repeatedly, that people whose passwords are exposed are vulnerable to fraud in other areas as well.

    Do similar vulnerabilities exist with other billing software?

  2. #2
    did you report it to them before posting on a related industry forum? I mean, you know people are going to be PMing you looking for how to do this. Perhaps that was the intent? Either way, I hope you reported it to them in great detail so it can be fixed.

  3. #3
    i posted this to modernbill and did not get a response from them. i think that (a) someone might recommend software without this problem, (b) the company might respond to the problem if more people are bothered by it, (c) maybe someone has a way to work around the problem.

  4. #4
    Join Date
    Feb 2002

    Re: ModernBill security flaw

    Originally posted by gardanni
    . . . Do similar vulnerabilities exist with other billing software?
    Vulnerabilities exist in almost all software. It's just a matter of finding and patching those, on the fly etc.

    I do hope MB take your claim seriously though. Aussie Bob, host since 2001
    Host Multiple Domains on Fast Australian Servers!!

  5. #5
    As for all levels of admins being able to see the passwords, this must be new. It would only be for admin levels that have permission to view client details, no?

    While I agree that admins shouldn't need to know most passwords on the fly, however, shouldn't the focus be on hiring trustworthy admins that use appropriate password syntax?, a Digitally Justified Company
    Celebrating our 9th year in Business

    Proudly Hosting with CANADIAN bandwidth
    Managed Hosting, Multi-Domain Hosting, Colocation, Merchant Accounts

  6. #6
    Join Date
    Sep 2002
    if an employee gets disgruntled
    Hire employees who you trust and who will sign Non-Disclosure Agreements.
    Hostime Managed Hosting
    Opening the bridge between your business and the world.

  7. #7
    There are two camps as far as passwords are concerned. The first is that passwords should be encrypted and the backend program should handle the recovery if the password is lost. The second are those who believe that it is a great service to the customer to tell them what their last password was and to do that it needs to be in plain text. I prefer the first. However the only time I would see this as a threat is if there is a vulerability in MB that would allow a cusomer to promote their login to administrator. I would think that MB would react quickly to a crittical vulnerability like that.

  8. #8
    Join Date
    Jul 2004
    this is on modernbill for a lotr of versions it is not a security flaw it is just a feature

  9. #9
    of course i want to to hire "trustworthy admins". who doesn't seek to hire trustworthy people? there is no objective measure of trustworthiness, and until there is, it is a security flaw to needlessly put passwords at risk.

    Besides, we expect to be in business for a long time and, as with any business, expect a fair amount of growth and turnover. Even if the risk or a dishonest employee is tiny, that risk it will grow over time as we open ourselves to working with more people.

  10. #10
    Join Date
    May 2004
    Lansing, MI, USA
    Well, if you think plaintext passwords are a problem, you probably HATE the 'Log in as John Doe' link that's right on the client view page, no?
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  11. #11
    Originally posted by WebOnce
    Well, if you think plaintext passwords are a problem, you probably HATE the 'Log in as John Doe' link that's right on the client view page, no?
    no, an admin certainly needs to be able to log into client accounts. they just should not have access to client passwords.

  12. #12
    Do people here know which billing systems have better security in this respect?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts