Diverse Solutions IDX Security Issue

Hi everyone:

Not happy to be writing this post, and while it’s probably not a very big deal for the vast majority of Agents out there, this newly discovered issue could be huge for some, brokerages in particular.

 

Description:

Two days ago we discovered a sizable vulnerability with the Diverse Solutions control panel.  In short, changing your password may NOT prevent access to your DS control panel to individuals that have accessed your DS control panel in the past.  The problem can be seen by performing the following steps:

  1. Open your browser of choice and log into your DS control panel.
  2. Navigate to your options and change your password.
  3. Close your browser.
  4. Open your browser and visit the DS control panel.  You will already be logged in and even though your password has been changed, you will NOT be asked to login again, and you will be permitted to make changes to your account.  You will be able to continue making changes to you account without being required to login with your new password for an undetermined period of time, but we have verified that sessions may be days old.  Clients we have checked with have reported not being asked to log into DS for months.

 

This has the greatest potential of allowing
unauthorized access in the following situations:

  1. Agents or Brokerages that employ developers or consultants to services their webs or socials.
  2. Agents or Brokers that share workstations in their offices.
  3. Brokerages or Agents that employ assistants that may access DS from their laptops, phones, tablets or home computers.
  4. Agents or Brokerages that have changed their DS password to protect their accounts from access by individuals they’ve recently terminated or ended an association with.

 

Prevention:

Because of the nature of the vulnerability, there is very little you can do to prevent access once you’ve shared your credentials.  All any individual must do to continue to have access to your entire DS account is not log out.  As stated above, changing your password will NOT keep them from your account.

For those that have NOT shared their credentials it is important that you log out every time you finish with DS.  If you do not, any of the devices you access your DS control panel from become keys to your account and all it holds.

 

What’s at risk:

  • Your configuration data.  Because DS data is what serves your website, deletion or edition of settings could render your entire web presence useless to your consumers.  Per our last conversation with DS, they do not currently have a way of backing up individual accounts, so you would have to rebuild your configuration, including any custom links you had created which could take weeks for some agents.
  • Lead Data is the biggest area of risk in our opinion.  Many agents, our clients included, make promises as to the confidential nature of the data each consumer submits when they register on their sites.  This flaw may limit some agents, brokers, and brokerages ability to keep that promise.

It is important to be clear that this security issue should NOT make your data vulnerable to the general public (less if a computer tablet or phone are lost, stolen or compromised).

 

What has been done to date:

We have notified Diverse Solutions of the issue and are confident they will resolve it quickly, although no timetable has been given for a resolution to the problem.  As of 9:15PM Eastern the issue remains, and we thought it best to share this information with our clients and other DS users.  Again, we’re confident the issue will be resolved in short order, but we felt it best that people have an opportunity to minimize any potential issues.

When you’re done in the Control Panel…  LOG OUT!
Try not to give out your password unless it is absolutely necessary.

Update:

There are some statements strewn around the net that would lead one to believe that the issue described was an isolated case involving one Diverse Solutions client.  This is blatantly inaccurate.  The issue as described is something that affects every single client of this IDX provider at the moment.  We were told that there would be a fix for this system-wide at some point this week.  We will be keeping a close eye on this and let everyone know if and when the issue is indeed fixed.

Related Posts:

5 Responses to Diverse Solutions IDX Security Issue
  1. thesa chambers
    February 2, 2012 | 1:50 am

    It’s always good to have such a smart cookie watching over us… thanks

    • Jon Hardison
      February 5, 2012 | 1:46 pm

      🙂 Thx dear. Still watching the issue. hope they get it resolved soon.

    • Derec Shuler
      February 8, 2012 | 5:45 pm

      Smart cookie? Was that a pun? 🙂

Leave a Reply

Wanting to leave an <em>phasis on your comment?