Five of the Biggest Hosting Providers Riddled with Vulnerabilities
CYBER NEWS

Five of the Biggest Hosting Providers Riddled with Vulnerabilities

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Several security vulnerabilities were discovered in five popular web hosting services. The flaws enable threat actors to steal sensitive information or even take over customers’ accounts. The vulnerabilities were unearthed by security researcher Paulos Yibelo, who is a well-known bug hunter. The affected hosting services are Bluehost, DreamHost, Hostgator, OVH and iPage.




The goal of Yibelo’s research was “to try and see if websites hosted on Bluehost, Dreamhost, HostGator, OVH, or iPage could be compromised with one click client-side vulnerabilities”. As it turns out, a compromise is indeed possible on all five hosting providers, and due to the discovered client-side flaws, account takeovers can indeed happen.

The vulnerabilities, which are now fixed, could have been deployed against any of the two million domains under Bluehost, Hostgator and iPage (all owned by the same company, Endurance), DreamHost’s one million domains and OVH’s four million domains. In total, approximately seven million domains could have easily been compromised. Even though the attacks Yibelo tested were not complicated at all, they could have been easily used against high-profile users in targeted spear phishing campaigns. Since domain registration details are easy to find on registrar WHOIS databases, potential attackers would have only needed to send the domain owner a malicious link via email.

Related:
The German company DomainFactory has been hacked, resulting in personal information, like passwords, account names and financial data to be stolen!
DomainFactory Hosting Provider Suffers Devastating Data Breach – Change Passwords Now

Types of Vulnerabilities in All Five Hosting Providers

Bluehost was found vulnerable to information leakage attacks where cross-origin-resource-sharing (CORS) misconfigurations are abused. Other possible attack scenarios involving Bluehost are:

  • Account takeover due to improper JSON request validation;
  • A man-in-the-middle attack due to improper validation of CORS;
  • Cross-site scripting on my.bluehost.com in account takeover attacks.

Dreamhost was found to be susceptible to account takeovers where a specific XSS (cross-site scripting) vulnerability.

HostGator had a site-wide CSRF (Cross-Site Request Forgery) protection bypass that could have allowed complete control, and multiple CORS misconfigurations that could have led to information leaks and CRLF injection attacks.

OVH could have been compromised in CSRF protection bypass attacks and API misconfigurations. And finally, iPage was vulnerable to account takeovers and several content security policy (CSP) bypasses.

Dreamhost was the first hosting provider to respond to the researchers’ discoveries. A response was also received from Endurance, the company behind Bluehost, iPage, and HostGator.

The researcher also pointed out that Bluehost red-flagged his account and “closed it down unceremoniously”, without giving any reason or explanation. “However, since it was done after the hack was completed, we can only assume it is because they saw what we were doing,” the researcher concluded.

Update
Here’s OVH’s response on the matter.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

1 Comment

  1. AvatarTZAX

    OVH claims that this is totally wrong..
    https://twitter.com/olesovhcom/status/1085284004721541122

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...