Trustico website goes dark after someone drops critical flaw on Twitter
Enlarge / A screenshot demonstrating a critical vulnerability on the Trustico website before it became unavailable. (credit: @Manawyrm)
The website for Trustico went offline on Thursday morning, about 24 hours after it was revealed that the CEO of the UK-based HTTPS certificate reseller emailed 23,000 private keys to a partner.
The website closure came shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers. The vulnerability, in a trustico.com website feature that allowed customers to confirm certificates were properly installed on their sites, appeared to run as root. By inserting commands into the validation form, attackers could call code of their choice and get it to run on Trustico servers with unfettered "root" privileges, the tweet indicated.
"If this is the case it's about as bad as it gets," security researcher Scott Helme told Ars.
Read 6 remaining paragraphs | Comments