Some of the biggest web hosting sites were vulnerable to simple account takeover hacks

A security researcher has found, reported, and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customers account from some of the largestweb hosting companies on the internet.
In some cases, clicking on a simple link would have been enough forPaulos Yibela, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers Bluehost, Dreamhost, Hostgator, OVH, and iPage.
All five had at least one serious vulnerability allowing a user account hijack, he told TechCrunch, which he shared his findings with before going public.
The results of his vulnerability testing likely wouldnt fill customers with much confidence. The bugs, now fixed according to Yibelas writeup, represent cases of aging infrastructure, complicated and sprawling web-based back-end systems, and company each with a massive user base with the potential to go easily wrong.
In all, the bugs could have been used to targetany number of the collective two millions domains under Endurance-owned Bluehost, Hostgator and iPage, Dreamhosts one million domains and OVHs four million domains totaling some seven million domains.
Most of Yibelas attacks were simple enough, but effective if combined with a targeted spearphishing campaign that targeted high-profile users. With domain registration data available for most large clients on registrar WHOIS databases, most of the attacks would have relied on sending the domain owner a malicious link by email and hoping that they click.
In the case of Bluehost, Yibela embedded malicious javascript on a page full of kittens or puppies, or anything he wants. As soon as a logged-in Bluehost user clicks on a link from an email or a tweet to that page, the hidden javascript will on the page, and inject the attackers own profile information into the victims account assuming that the user is already logged in to Bluehost by exploiting a cross-site request forgery (CSRF) flaw. That allows the attacker to modify data on the server from his malicious site, while the victim is none the wiser. By injecting their own information including email address the attacker can request a new password to that attackers email address, and takeover the account.

A demo of a simple hack, involving a one-click link that lets an attacker break in and takeover a users account. (Paulos Yibela/YouTube)
Yibela also found that the attack could work in the form of across-site scripting (XSS) attack. Hedemonstrated how a single click on a malicious link could instantly swap out a Dreamhost account owners email address for one that an attacker uses, allowing Yibela or an attacker to send a password reset code to be sent to the email of the attacker, permitting an account takeover.
Hostgator, meanwhile, suffered from several vulnerabilities, including a similar CSRF flaw that tricked countermeasures to prevent a cross-site script from running, which allowed him to add, edit, or modify any data in the victims profile, such as an email address that could be used to reset the users password.
Yibela also found several other lesser-likely but still serious flaws, allowing man-in-the-middle attacks on a local network such as a public Wi-Fi hotspot.
OVH, meanwhile, had a similar flaw that allowed Yibela to bypass its CSRF protections that allow him to add, change or edit user profile data. By using another vulnerability in its API, it couldve allowed an attacker to fetch and read responses from OVH.
And, iPage, had a similar one-click flaw which could be easily exploited because the web host doesnt require an old or current password when resetting the accounts login details. That made it possible for an attacker to craft a malicious web address which, when clicked, would reset the password to one of the attackers choosing allowing them to login as that user.
Most of the web hosting companies also fixed other information and data leaking flaws, also discovered by Yibela.
All of the companies, besides OVH which didnt respond to a request for comment sent prior to publication confirmed that the bugs were fixed.
Kristen Andrews, a spokesperson for Endurance, a web hosting company that owns Bluehost, Hostgator and iPage, said that the company has taken steps to address and patch the potential vulnerabilities in question, but, when asked, did not say if the bugs had been exploited or if customer accounts or data had been compromised.
Dreamhost, meanwhile, said it fixed the bugs less than 48 hours later, according to spokesperson Brett Dunst, and found no evidence to suggest anyone exploited the bug outside Yibelos testing.
After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised, he said. The exploit would have required a logged-in DreamHost user to click a specially-formatted malicious link to alter their own accounts contact information.
Its remarkable to think that of all the ways to break into a website, often as Yibela showed isnt through any convoluted attack or busting firewalls. Its simply through the front door of the sites host, requiring little effort for the average hacker.

Cybersecurity 101: Five simple security guides for protecting your privacy
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »