Several security vulnerabilities were discovered in five popular web hosting services. The flaws enable threat actors to steal sensitive information or even take over customers’ accounts. The vulnerabilities were unearthed by security researcher Paulos Yibelo, who is a well-known bug hunter. The affected hosting services are Bluehost, DreamHost, Hostgator, OVH and iPage.
The goal of Yibelo’s research was “to try and see if websites hosted on Bluehost, Dreamhost, HostGator, OVH, or iPage could be compromised with one click client-side vulnerabilities”. As it turns out, a compromise is indeed possible on all five hosting providers, and due to the discovered client-side flaws, account takeovers can indeed happen.
The vulnerabilities, which are now fixed, could have been deployed against any of the two million domains under Bluehost, Hostgator and iPage (all owned by the same company, Endurance), DreamHost’s one million domains and OVH’s four million domains. In total, approximately seven million domains could have easily been compromised. Even though the attacks Yibelo tested were not complicated at all, they could have been easily used against high-profile users in targeted spear phishing campaigns. Since domain registration details are easy to find on registrar WHOIS databases, potential attackers would have only needed to send the domain owner a malicious link via email.
Types of Vulnerabilities in All Five Hosting Providers
Bluehost was found vulnerable to information leakage attacks where cross-origin-resource-sharing (CORS) misconfigurations are abused. Other possible attack scenarios involving Bluehost are:
- Account takeover due to improper JSON request validation;
- A man-in-the-middle attack due to improper validation of CORS;
- Cross-site scripting on my.bluehost.com in account takeover attacks.
Dreamhost was found to be susceptible to account takeovers where a specific XSS (cross-site scripting) vulnerability.
HostGator had a site-wide CSRF (Cross-Site Request Forgery) protection bypass that could have allowed complete control, and multiple CORS misconfigurations that could have led to information leaks and CRLF injection attacks.
OVH could have been compromised in CSRF protection bypass attacks and API misconfigurations. And finally, iPage was vulnerable to account takeovers and several content security policy (CSP) bypasses.
Dreamhost was the first hosting provider to respond to the researchers’ discoveries. A response was also received from Endurance, the company behind Bluehost, iPage, and HostGator.
The researcher also pointed out that Bluehost red-flagged his account and “closed it down unceremoniously”, without giving any reason or explanation. “However, since it was done after the hack was completed, we can only assume it is because they saw what we were doing,” the researcher concluded.
Here’s OVH’s response on the matter.