That’s not how security works, security is not obscurity.

Today the domain and hosting provider NameCheap had a security flaw that let anyone create sub domains on any site that was also hosted with the domain provider. This created a huge potential for spam and abuse as found out by Kirk McElhearn (you can view his post about this on his blog) who was affected by this.

The one major problem, NameCheap does not like it when you post about them, like at all.  a security expert posted a link to Kirk’s blog that was followed by comments by NameCheap saying it should be removed and that “We definitely don’t want word to spread” followed by “We want to keep these under the radar”. Not long after it was pointed out that they should not be trying to hide this they removed the tweets you can see below.

 

 

NameCheap have since said they fixed it in direct tweets but have not posted about it at all publicly on the accounts blog or twitter feed even 10 hours later.

But they have however commented with a link to a 2nd Twitter account where a vague tweet was made about the flaw saying it only affected a “teeny tiny” amount of hosting users. The problem with this is the comments are not visible on the accounts public Twitter page. As a company you should get ahead of any flaws and let users know what you are doing to fix the problem. Hiding it and trying to downplay the flaw does not help the company or the customers.

One Reply to “That’s not how security works, security is not obscurity.”

Leave a Reply