Even though I have SSL on my website – meaning that it uses https instead of http in its URL – and any incoming traffic to http://www.kirkville.com is automatically redirected to the https version of the site, the sub-domains were parsed by name servers before they reached my site’s server, so they weren’t redirected.From those unprotected pages, unauthorized actors could capitalize on the prominence of another customer's website like McElhearn's to distribute spam and malware. In an email sent to The State of Security, Kirkendall says the issue stemmed from NameCheap's use of a custom implementation of DNS for its shared hosting systems that he says are separate from its core domain business. The company uses shared hosting to point all domains to the same DNS cluster servers. While serving benefits for NameCheap, Kirkendall explains the setup created the issue reported by McElhearn:
Kirkendall confirmed that the number of affected domains was "less than 100" and that NameCheap rolled out a fix on the same day of discovery. Even so, McElhearn told The Register he's still waiting for an official acknowledgment of the issue from the company:Any client on our Shared Hosting was able to add a subdomain of the domain pointed to DNS cluster to it’s[sic] cPanel and manage it from there. To do so one just needed to find out that the domain was pointed to our DNS cluster.
They certainly haven't contacted me about it, outside of the tweet which isn't what you'd call official. And Teeny tiny is not a useful term.If you are a NameCheap customer, you should check to make sure no one has added any unexpected web pages to your account. It's also a good idea to confirm you've protected your account with a secure password and two-factor authentication (2FA).