A vulnerability was observed on Incognet VPS (and potentially other providers such as kyun.host and buyvm), where photorec can recover files belonging to other customers. Thousands of unrelated images, databases, and executables were discovered. Incognet downplayed the issue. As a result, anyone could potentially extract other users’ sensitive data, indicating that VPS virtualization does not protect against this method of file recovery.
We responded to your original ticket in 20 minutes. Your ticket, titled, "fix your fucking vuln"
You submitted it: Posted on Sunday 16th February at 15:08
We responded: Posted on Sunday 16th February at 15:28
We never heard back.
Weeks later, you post on Twitter.
We respond to your ticket again, having not heard from you. We express a desire to review this in greater detail.
We provide two additional, lengthy, detailed responses of what we did and how you can replicate it to test.
In the end, on a fresh OS install on a fresh VPS, what we were able to "recover" was documentation and manpage files related to the OS. As mentioned, this was assumed to be from the OS images provided by Virtualizor. (Will run the same tests on the new stack we're testing since they use cleaner, more minimal OS images)
By your admission you reinstalled your OS from an active XMPP server. There is a reasonable assumption that the files you have recovered are simply the files your XMPP users have sent/received to one another. You can not access data from other users with this method. This is similar to reinstalling the OS on your laptop only to realize you forgot to backup the photos of your wedding, so you run a data recovery tool to see what you can get.
I even offered you another VPS for you to test, so that you could replicate my steps to see if the results were the same. You continue to not respond to the ticket and misrepresent the situation.
In any case, as announced weeks ago, we're in the process of updating and upgrading all of our VPS nodes. If there is something we can do beyond the industry standard practices to make things more private, we absolutely will.
