Easy hacking? Conception Bay South company says rival not protecting clients

A website hosting and development company in Conception Bay Southsays a rival is leaving customers open to hackers.

TiVaHost has posteda warning on its front page about St. John's based-Zircon Web Design.

According to the post, TiVaHost has"recently discovered a serious security flaw in many of the websites built by Zircon Web Design, and have seen proof that some of Zircon's customers have actually been hacked as far back as 2013."

Some security procedures weren't followed properly, said Sherwin Flight, a partner with TiVaHost.

"That exposed a tool that allows anyone to upload files to a website and can lead to the website being compromised and hacked which would lead to malicious files being placed on the server."

CBC News has had this confirmed byan independent security expert, with years of experience in the field.

Zircon operator Sandra O'Leary didn't want to be interviewed for this story, but did issue a statement Tuesday morning.

"We have been targeted by a competitor in a very aggressive nature over the past month or so. Prior to this we had no business, personal or other dealings with him. In fact we never heard of him or his business," O'Leary wrote.

"It seems hehas chosen to target us for his own agenda. We are not interested in engaging in this in a public forum."

Travel bloggerfinds porn

Flight saidhe became aware of the vulnerability after a Zircon customer was hacked and then switched to his company.

Marilyn Staple is an author and travel blogger, who tried posting an entry on her travel blogwhen she was out of the province in November.

There was Chinese pornography on thewebsite. Pretty disturbing actually.- Marilyn Staple, travel blogger

"First I couldn't get on the website, it wouldn't let me log in. I left it for a little while. I wrote Zircon and told them I was having trouble getting on the website," she said.

"I went back to it, maybe even a day later, and when I went back there was Chinese pornography on the website. Pretty disturbing actually."

Zircon restored the site. Without the porn.

"Basically they said the site had been hacked and perhaps I should have had a more difficult password so they couldn't get at the site," Staple said.

When Staple decided to leave Zircon for TiVaHost, Flight said he found a vulnerability while transferring files.

"We're downloading the files to transfer to our server and our anti-virus alerted us to some potential problems with some of the files," he said.

"Which is when we discovered this tool on the website. In fact on that website we found fourduplicate copies of the same tool so this person in question that was hacked, there was actually four different insecure copies of the same thing on her website."

That led Flight to look at other sites hosted by Zircon.

He saidmore than 80 of the sites had the same vulnerability and are open to being hacked.

In fact, in a YouTube video, hackers offer advice on how to infiltrate a St. John's non profit and Zircon client, Brighter Futures.

Concerns 'brushed off'

Flight said he contacted Zircon owner, Sandra O'Leary, on Dec. 10and told her about the problem but said O'Leary "brushed it off as not being a big deal."

Hehas chosen to target us for his own agenda.- Sandra O'Leary, Zircon Web Design

"We've contacted all of the companies that we know of, that have this vulnerability," said Flight.

"We're just a little concerned because Zircon has also told these same people you know that it's not a big deal and to ignore the emails that we sent out, so at this pointI'm not 100 per cent sure how many of these people are even aware of this problem."