High-Severity Bugs in Web Hosting providers
Paulos Yibelo, a well-known and respected bug hunter and researcher
has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies on the internet.
In some cases, clicking on a simple link would have been enough to take over the accounts of anyone using five large hosting providers — Bluehost, DreamHost, Hostgator, OVH and iPage.
The results of his vulnerability testing likely wouldn’t fill customers with much confidence. The bugs, now fixed — according to Yibelo’s report — represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base — with the potential to go easily wrong.
In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost’s one million domains and OVH’s four million domains — totaling some seven million domains.
In his report Yibelo’s listed the following vulnerabilities:
- Bluehost-Information leakage through Cross-Origin Resource Sharing (CORS) Misconfigurations
- Bluehost-Account Takeover because of improper JSON request validation Cross-Site Request Forgery (CSRF)
- Bluehost- Man-In-The-Middle (MITM) Because of Improper Validation of CORS Scheme
- Bluehost- Cross Site Scripting (XSS) on my.bluehost.com allowing for account takeover
- Dreamhost-Account takeover via XSS
- HostGator-Sitewide CSRF Protection Bypass allowing complete control
- HostGator- Multiple CORS Misconfigurations leading to Information Leak and Carriage Return and Line Feed (CRLF)
- OVH-CSRF protection Bypass
- OVH- Application Program Interface (API) Misconfigurations
- iPage-Account Takeover
- iPage- Multiple Content Security Policy Bypass
