How secure is your website? Well, don't count on your web hosting provider to keep it hack-proof.
A security researcher has uncovered several vulnerabilities in five web hosting providers, which could've been used to steal website owners' personal information or take over their accounts.
The hosting providers include Bluehost, DreamHost, HostGator, OVH, and iPage, all of which offer customers low-cost monthly plans to run their websites. Unfortunately, the hosting services also contained software bugs or design choices that made them easy to hack, according to Paulos Yibelo.
On Monday, he published a report, first reported by TechCrunch, which documents how to exploit the vulnerabilities by getting website owners to click on malicious links sent via email.
One such bug could've allowed a hacker to learn the name, phone number, and partial payment card details from users logged into Bluehost. The exploit took advantage of a "cross-origin resource-sharing" feature, also known as CORS, which lets one Bluehost web domain access another within a browser. That's problematic in the event you access a Bluehost domain that's actually controlled by a hacker.
"This means malicious attackers could host a subdomain called my.bluehost.com.EVILWEBSITE.com and Bluehost would allow EVILWEBSITE.com to read [the victim's websites] contents," Yibelo wrote in his report.
Another cross-origin vulnerability was found with iPage involving the hosting provider's change password function. For some reason, you don't need to enter the account holder's existing password when initiating the change. Yibelo found he could exploit this by getting the victim to visit a malicious webpage. Once loaded, the webpage secretly changed the victim's password through a cross-origin request, paving the way for an account takeover.
The good news is that at least four of the five hosting providers have fixed the bugs. However, the remaining provider, OVH, has pushed back on the findings, and pointed to errors in the research. In response, Yibelo told PCMag he stands by his work.
It isn't clear if hackers ever became aware any of the vulnerabilities, which Yibelo said were easy for him to find. DreamHost said: "After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised."
Nevertheless, the vulnerabilities underscore the need for website owners to be careful. "Out of the five web hosts we tested, we found that all can be easily hacked," Yibelo wrote in the post. "This means that no matter which hosting service you use, you should always be sure to take additional measures to enhance your website's security."
To stay safe, Yibelo told PCMag that website owners shoud make sure they are logged out of their hosting accounts when browsing the internet, which will protect you against cross-origin-related attacks. It's also a good idea to avoid opening emails from suspicious sources and clicking on sketchy links.
Editor's Note: This story has been updated with more response to the OVH vulnerabilities.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
