Recently I was making research on hacked websites of hotels. And step by step I reached out the website of Q Brainstorm Software company. Q Brainstorm Software is an IT company from India, established in 2004. This company offer an extensive range of various services based on several programming languages, website development, mobile app development and even SEO services. Briefly, “We do everything”. But they attracted my attention not because of their services, but because of their products.
Q Brainstorm Software products
Looking at the product page, I see the list of several products:
- Hotel Desktop – Available in three different versions, ultimate hotel management solution for small and medium accommodation facilities.
- Hotel web – Hotel Pro desktop version can be further enhanced with a web module where you can manage your reservations and view the calendar using just a web browser.
- Hotel Mobile – Hotel mobile app is a comfortable way of managing your reservations from any place in the world. Only a mobile phone or tablet is required.
- Channel Manager – Hotel can be synchronised with the most popular channel managers in the world such as YieldPlanet, Octorate or WuBook.
- Online Booking Engine – Allow customers to make reservations directly through your website with a modern, fully customizable online booking engine.
- Advanced Functionalities – Accounting, statistics, logbook, customizable documents, automated emails, rate plans, services, meals management and more!
These products are business oriented, which is a little frightening to me and I’ll tell you why.
If you’re looking for a software to power up your business one of the primary requirements is the safety of the software. The vulnerable software may endanger business in various ways. Now let’s think about whether you can trust your business to the company and its products if the website of the company itself is hacked? Yes! Hacked.
Hacked Q Brainstorm Software website
Now let’s look closer what’s happening. First of all, I need to mention that website is running on WordPress. On an outdated and insecure and vulnerable WordPress version. Just imagine a company that runs the outdated software, released in the 2016 year. Since the release of 4.5.1 version, there were eleven WordPress Security releases published. OK, let’s assume that website has some significant modifications and it’s too hard to change the WordPress version.
Then I decided to check out the
/wp-login.php and I succeeded. The login form is freely accessible to anyone, and there is no any protection against brute-force type attacks. Moreover, I found some interesting details on this page. You can see them marked with arrows on the screenshot below. Enjoy.
I don’t know what to say. Is it possible not to notice the signatures left by the hacker “Hunter Bajwa” and hacker team “Team Bl@ckLeets” on the login page? Well, everything is possible since the hack is fresh. I looked up on the Google SERPs, and most of the pages indexed with the signatures of the hackers left on this site cached on 5 Mar 2018 22:00:31 GMT. Anyway, it changes nothing, this site is hacked more than a week and nobody noticed?
I would understand if this would be a personal blog like my one, I very rarely check what’s going on and write something less often, but here’s the company page. And the biggest problem is not that the website was hacked, the biggest problem is how do you react to the security incident and how quickly you manage the situation.
As I said before, the hack is not the biggest problem of Q Brainstorm, every website could be hacked sooner or later. The main problem is a reaction time to hack and identification of the security breach. Also from the screenshots above you can see what negligent approach they have to the security of their website. And it puts a huge question mark on the software they offer, who can guarantee that it is safe? And finally, it appears that Q Brainstorm Software company offers hosting services and it makes me surprised that they missed the hack on their website for a long time.
Please be more careful when you chose software or service provider. Pay more attention to your website and invoke all possible security tools that at least will be capable to identify the website security breach. Don’t use the outdated and vulnerable software versions. If your website is powered by WordPress, always keep it up to date. Make sure all plugins and themes are also up to date and take all actions necessary for the website hardening.
2018 March 14 - Q Brainstorm Software notified about the security breach by email.