The Redis service is available on my hosting, and if i connect it for money, it is available only for me, since Redis rises in a separate docker container.
But, if i turn it off, then Redis can still be used for free, though server-wide. And here I am connecting to the server-wide Redis:
$redis = new Redis ();
$redis->connect('127.0.0.1', 6379);
And I see there about 300,000 records of other people’s sites.
$allKeys = $redis->keys('*');
echo(count($allKeys)); // ~300000
echo ($allKeys[10000]); // some data of some site
echo ($redis->get($allKeys[10000])); // some data of some site
And i can change every record! Like this:
$redis->set($allKeys[10000], 0);
That is, someone uses the server-wide Redis and I believe that the user is not aware of the public availability of their data. He just turned on the “Use Redis” checkbox somewhere in WordPress.
And the question is: is the hosting provider responsible for this? After all, an ordinary user believes that his data is stored only on his server and is available only to him.
The technical support response was: everything is ok.
But I don’t think so, so I ask.
2
Answers
This hosting provider is responsible for the security breach. Considering OWASP’s top ten Web application security risks, this is an issue of few security risks: Broken Authentication, Sensitive Data Exposure, and Broken Access Control.
What is your next step is up to you. You should inform the hosting provider, users should be informed by the hosting provider for the possible data breach. This is a very serious security and legal matter since someone’s possibly private data is accessible to other users.
See: https://owasp.org/www-project-top-ten/
I work in web hosting. This is not correct and means that they have a serious problem on their hands! Ask for a manager or supervisor. If that goes nowhere, MOVE.
From what you described, they have virtual users for Redis users who pay for it. Rather than disabling it for everyone else, they appear to be allowing everyone to access the same shared pool, causing the security breach you’ve described.