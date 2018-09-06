Company uses shady security practice – reaching them for comments was impossible

Security issues are a daily topic for IT journalists. Yet still there are things that manage to surprise us. Such as the US based webhosting company Justhost. This is how a simple request for a package downgrade turned into a security nightmare.

Because neither the homepage nor my customer control center offered any information about moving a domain to a cheaper webspace offer, I turned to the 24/7 support chat. After a short talk about my request I was asked to verify myself, eventhough I was logged in. And for that purpose the Justhost representative wanted me to submit the last 4 characters of my password.

A practice that sets off alarm bells. According to long established standards, one should never be asked for a password by their online service company. The security community does not take lightly to such practices, as the incident with T-Mobile Austria's "amazing security" has taught us recently.

Worst practice

When employees can verify you by your password, this can imply different things, none of which shine a particularly good light on Justhost. It can mean that customer passwords are stored unencrypted – in clear text. It can also mean, that there is encryption, but also a backdoor that undermines it.

In the best case thinkable, the password is stored as a hash along with a separate hash for the last four characters. But even then having to reveal parts of your password to an almost anonymous employee is a shady practice. Justhost does offer Two Factor Authentication, but it is not turned on by default. Support reps can also send you a code by e-mail instead of asking for a password, but surprisingly this does not seem to be the default procedure.

foto: derstandard.at/pichler The first encounter with Justhost support.

Delivery nirvana

The chat support failed to understand the problem at hand, when I immediately brought up those concerns. Which is why I asked for a contact to submit an official press inquiry. After all, when writing about this, Justhost should have a chance to comment on the situation and explain their security policy. I ended up trying to contact the company four times without success.

At first I was told an e-mail address to direct my query at. Apparently, this address was meant for general feedback, rather than media inquiries. My mail got stuck in delivery nirvana. It seemed, the mailbox was not monitored regularly and thus over quota. I also tried reaching the company on twitter. Their support account, whose last activity dates from May 2017, never reacted.

Outdated forms and silence

The third attempt was via a contact form provided on the Justhost website. It turned out, that sending them a message was simply not possible. This is because the form used Googles reCAPTCHA version 1 to avoid spam. Google ceased support for v1 back in April. Since then no one at Justhost had bothered to do an update. Lastly, another support representative gave me a different e-mail address, this time meant for "terms of service" inquiries. My request for a statement was received this time but Justhost failed to respond even several days after.

foto: derstandard.at/pichler The outdated support form with Google reCAPTCHA v1.

Signs point to troubled times

The lack of reachability could be a sign that things don’t look bright for Justhost. According to Webhostgeeks, the company currently manages about 230.000 top level domains. Less than half of the numbers they had in 2013. The Justhost homepage claims that more than a million sites are hosted by the company. Justhost is a subsidiary venue of the Endurance International Group which accumulates several dozen hosting brands under their roof.

Recent customer statements about Justhost paint a bleak picture. Almost every review includes complaints about bad customer support. The average ratings amount to less than two of five possible stars. (Georg Pichler, 06.09.2018)