Nfld. & Labrador

Easy hacking? Conception Bay South company says rival not protecting clients

TiVaHost says Zircon Web Design has left many of its clients open to hackers and is refusing to acknowledge the problem.

Travel blogger switched companies after finding porn on her website

Sherwin Flight is moderator of the Newfoundland Tenant and Landlord Support Group - a Facebook group with over six thousand members. (Submitted photo)

A website hosting and development company in Conception Bay South says a rival is leaving customers open to hackers.

TiVaHost has posted a warning on its front page about St. John's based-Zircon Web Design.

According to the post, TiVaHost has "recently discovered a serious security flaw in many of the websites built by Zircon Web Design, and have seen proof that some of Zircon's customers have actually been hacked as far back as 2013."

Some security procedures weren't followed properly, said Sherwin Flight, a partner with TiVaHost.

"That exposed a tool that allows anyone to upload files to a website and can lead to the website being compromised and hacked which would lead to malicious files being placed on the server."

CBC News has had this confirmed by an independent security expert, with years of experience in the field.

TiVaHost says more than 80 local companies are vulnerable to hackers. Zircon Web Design, however, says it is the target of a rival with his own 'agenda.' (The Associated Press)

Zircon operator Sandra O'Leary didn't want to be interviewed for this story, but did issue a statement Tuesday morning.

"We have been targeted by a competitor in a very aggressive nature over the past month or so. Prior to this we had no business, personal or other dealings with him. In fact we never heard of him or his business," O'Leary wrote.

"It seems he has chosen to target us for his own agenda. We are not interested in engaging in this in a public forum."

Travel blogger finds porn

Flight said he became aware of the vulnerability after a Zircon customer was hacked and then switched to his company.

Marilyn Staple is an author and travel blogger, who tried posting an entry on her travel blog when she was out of the province in November.

There was Chinese pornography on the website. Pretty disturbing actually.- Marilyn Staple, travel blogger

"First I couldn't get on the website, it wouldn't let me log in. I left it for a little while. I wrote Zircon and told them I was having trouble getting on the website," she said.

"I went back to it, maybe even a day later, and when I went back there was Chinese pornography on the website. Pretty disturbing actually."

Zircon restored the site. Without the porn.

"Basically they said the site had been hacked and perhaps I should have had a more difficult password so they couldn't get at the site," Staple said.

When Staple decided to leave Zircon for TiVaHost, Flight said he found a vulnerability while transferring files.

"We're downloading the files to transfer to our server and our anti-virus alerted us to some potential problems with some of the files," he said.

"Which is when we discovered this tool on the website. In fact on that website we found four duplicate copies of the same tool so this person in question that was hacked, there was actually four different insecure copies of the same thing on her website."

That led Flight to look at other sites hosted by Zircon.

He said more than 80 of the sites had the same vulnerability and are open to being hacked.

In fact, in a YouTube video, hackers offer advice on how to infiltrate a St. John's non profit and Zircon client, Brighter Futures. 

Concerns 'brushed off'

Flight said he contacted Zircon owner, Sandra O'Leary, on Dec. 10 and told her about the problem but said O'Leary "brushed it off as not being a big deal."

He has chosen to target us for his own agenda.- Sandra O'Leary, Zircon Web Design

"We've contacted all of the companies that we know of, that have this vulnerability," said Flight.

"We're just a little concerned because Zircon has also told these same people you know that it's not a big deal and to ignore the emails that we sent out, so at this point I'm not 100 per cent sure how many of these people are even aware of this problem."