Quote:
Originally Posted by TheDoc
You ALWAYS have to assume someone could access your admin areas. If people can brute force a paysite what would make anyone think you can't brute force affiliate logins?
I know it didn't happen through ssh/ftp, they tell you to change it and any other passwords they had access to.
Of course NATS now is going to have to crack down and force all clients to lock down the systems, and prob enforce some other changes/rules too. But no matter what, if I give a program my details - it's the programs responsibility to make sure it's safe and secure.
|
I am no false impressions about software but I do expect that when I am pay to buy a software such as NATS and the developers of the software are aware of an issue that they will make it a priority to investigate the issue and make their clients aware of it and what they intend to do about it. I'm sure you can understand how i don't feel like this is too much to ask for.
This vulnerability specificaly targetted the NATS staff admin account and no others as far as i can tell which leads me to assume that it wasn't a brute force attack and if it were it was done because the nats staff account used the same username across multiple nats installations which is a total no-no in security 101 in and of itself.
...