News Centre

Top Web Hosting Sites Found To Have Multiple Flaws

Article by Diogo Correa
January 17, 2019

SHARE THIS POST:

Hosting Companies Hacked

Multiple one-click client-site vulnerabilities were found by independent security researcher Paulos Yibelo, who discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which together amount to roughly 7 million domains. These vulnerabilities, which will be detailed below, could have put millions of their customers as well as billions of their sites’ visitors at risk of hacking. 

Some of these vulnerabilities are so simple to execute and was demonstrated by hackers who simply tricked victims into clicking a simple link or visiting a malicious website that would easily take over the accounts of anyone using the affected hosting providers.

The research

The researcher Paulos Yibelo documented [Click here] on the website Planet Blog his findings, finding several account takeover, cross-scripting, and information disclosure vulnerabilities. 

1. Bluehost—the company owned by Endurance which also owns Hostgator and iPage, and in total, the three hosting providers powers more than 2 million sites around the world. Bluehost was found vulnerable to:

  • Information leakage through cross-origin-resource-sharing (CORS) misconfigurations
  • Account takeover due to improper JSON request validation CSRF
  • A Man-in-the-middle attack can be performed due to improper validation of CORS scheme
  • Cross-site scripting flaw on my.bluehost.com allows account takeover (demonstrated in a proof-of-concept, below)

2. Dreamhost—the hosting provider that powers one million domains was found vulnerable to:

  • Account takeover using cross-site scripting (XSS) flaw

3. HostGator

  • Site-wide CSRF protection bypass allows complete control
  • Multiple CORS misconfigurations leading to information leak and CRLF

4. OVH Hosting—the company that alone powers four million domains around the world was found vulnerable to:

  • CSRF protection bypass
  • API misconfigurations

5. iPage Hosting

  • Account takeover flaw
  • Multiple Content Security Policy (CSP) bypasses

Video Demonstrations By BlueHost

If you have any questions regarding hosting please feel free to contact us or visit our hosting page [here] which has not been hacked! supported by GoDaddy. 

Other Articles You May Enjoy:

Share your thoughts in the Comments section:

Subscribe For The Latest In Technology

Other Posts You May Like

TECH NEWS & UPDATES

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

RECENT POSTS

Microsoft Azure

Introduction to Azure – A Core Cloud Service

Microsoft Responds to COVID-19

Microsoft Responds To COVID-19 By Offering E1 Licenses Free For The Next 6-Months

teams_video_calls_intelligent_workplace

Microsoft Teams vs Zoom. What is right for your business?

Microsoft Azure

Azure Firewall Manager now supports virtual networks.

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
top-web-hosting-sites-found-to-have-multiple-flaws-tech-success
Scroll to Top