NameCheap has said it intends to notify customers of a misconfiguration issue that allowed customers to create subdomains for any hosted account.Richard Kirkendall, CEO for the ICANN-accredited registrar, said on Twitter that the company is currently conducting an audit and plans on “contacting any affected customers directly” following the discovery of a misconfiguration issue on its nameservers. He went on to say that NameCheap has implemented a fix and that it’s a “high priority” for the enterprise to inform customers of what happened.The issue first came to light on 5 February when NameCheap customer Kirk McElhearn received an email from Google warning him that it appeared someone had hacked a few of his subdomains.
A screenshot of the email received by McElhearn from Google. (Source: kirkville.com)Concerned, McElhearn checked Cpanel to see if anyone had hacked into his account. He didn’t find any new subdomains, including the ones Google told him about in its email.After changing his password for safe measure, McElhearn contacted NameCheap. The registrar looked into the matter and told McElhearn it had detected a misconfiguration issue on one of its nameservers. Essentially, another customer of NameCheap had abused the weakness to add the sudomains for kirkville.com to their own hosting account.That’s not all the flaw allowed, however. As McElhearn explains in a blog post:Even though I have SSL on my website – meaning that it uses https instead of http in its URL – and any incoming traffic to http://www.kirkville.com is automatically redirected to the https version of the site, the sub-domains were parsed by name servers before they reached my site’s server, so they weren’t redirected.From those unprotected pages, unauthorized actors could capitalize on the prominence of another customer’s website like McElhearn’s to distribute spam and malware.NameCheap has yet to reveal the number of customers that the issue affected, but it says it’s working on resolving the issue.The issue should be completely resolved very soon. Just an update: https://t.co/K72Dz8mAfI – Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.— Namecheap.com (@Namecheap) February 5, 2018In the meantime, McElhearn told The Register he’s still waiting for an official acknowledgment of the issue from the company:They certainly haven’t contacted me about it, outside of the tweet which isn’t what you’d call official. And Teeny tiny is not a useful term.If you are a NameCheap customer, you should check to make sure no one has added any unexpected webpages to your account. It’s also a good idea to confirm you’ve protected your account with a secure password and two-factor authentication (2FA).