Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which amounts to roughly seven million domains.
Some of the vulnerabilities are so simple to execute as they require attackers to trick victims into clicking on a simple link or visiting a malicious website to easily take over the accounts of anyone using the affected web hosting providers.
Critical Flaws Reported in Popular Web Hosting Services
Yibelo tested all the below-listed vulnerabilities on all five web hosting platforms and found several account takeover, cross-scripting, and information disclosure vulnerabilities, which he documented on the Website Planet blog.
1. Bluehost—the company owned by Endurance which also owns Hostgator and iPage, and in total, the three hosting providers powers more than 2 million sites around the world. Bluehost was found vulnerable to:
- Information leakage through cross-origin-resource-sharing (CORS) misconfigurations
- Account takeover due to improper JSON request validation CSRF
- A Man-in-the-middle attack can be performed due to improper validation of CORS scheme
- Cross-site scripting flaw on my.bluehost.com allows account takeover (demonstrated in a proof-of-concept, below)
2. Dreamhost—the hosting provider that powers one million domains was found vulnerable to:
- Account takeover using cross-site scripting (XSS) flaw
- Site-wide CSRF protection bypass allows complete control
- Multiple CORS misconfigurations leading to information leak and CRLF
4. OVH Hosting—the company that alone powers four million domains around the world was found vulnerable to:
- CSRF protection bypass
- API misconfigurations
5. iPage Hosting
- Account takeover flaw
- Multiple Content Security Policy (CSP) bypasses
Video Demonstrations[youtube https://www.youtube.com/watch?v=lOiqnP1hLfk] [youtube https://www.youtube.com/watch?v=BJb2T3E6ZC0] [youtube https://www.youtube.com/watch?v=qZlgdpUGzZ4] [youtube https://www.youtube.com/watch?v=AvHN0P0JAW4] [youtube https://www.youtube.com/watch?v=ppUIc__Bokg]
Talking to The Hacker News, Yibelo said he took about an hour on each of the five web hosting platforms on an average to find at least one account takeover-related client-side vulnerability, mostly using the Burp Suite, a web application security testing tool, and Firefox browser plugins.
“They mostly focus on protecting the wrong assets, but most of them have medium security standards for their user profile portals and data exfiltration vulnerability classes. Most of their protections are easily bypassable using lesser-known tricks,” Yibelo told The Hacker News.
Among the affected hosting companies, Yibelo found Bluehost, HostGator and iPage to be the easiest ones to hack into, though he told The Hacker News that HostGator included “multiple layers of security checks (that can be bypassed, but they are there, unlike the other sites).”
Yibelo reported his findings to the affected web hosting providers, all except OVH patched their services before the information went public yesterday. OVH has yet to confirm and response on the researcher’s findings.