Some of the biggest web hosting sites were vulnerable to simple account takeover hacks

A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies on the internet.

In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers — Bluehost, DreamHost, Hostgator, OVH and iPage.

“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch, with which he shared his findings before going public.

The results of his vulnerability testing likely wouldn’t fill customers with much confidence. The bugs, now fixed — according to Yibelo’s writeup — represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base — with the potential to go easily wrong.

In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost’s one million domains and OVH’s four million domains — totaling some seven million domains.

Most of Yibelo’s attacks were simple enough, but effective if combined with a targeted spearphishing campaign that targeted high-profile users. With domain registration data available for most large clients on registrar WHOIS databases, most of the attacks would have relied on sending the domain owner a malicious link by email and hoping that they click.

In the case of Bluehost, Yibelo embedded malicious JavaScript on a page full of kittens or puppies, or anything he wants. As soon as a logged-in Bluehost user clicks on a link from an email or a tweet to that page, the hidden JavaScript will activate on the page and inject the attacker’s own profile information into the victim’s account — assuming that the user is already logged in to Bluehost — by exploiting a cross-site request forgery (CSRF) flaw. That allows the attacker to modify data on the server from his malicious site, while the victim is none the wiser. By injecting their own information — including email address — the attacker can request a new password to that attacker’s email address  and take over the account.

A demo of a simple hack, involving a one-click link that lets an attacker break in and take over a user’s account. (Paulos Yibelo/YouTube)

Yibelo also found that the attack could work in the form of a cross-site scripting (XSS) attack. He demonstrated how a single click on a malicious link could instantly swap out a DreamHost account owner’s email address for one that an attacker uses, allowing Yibelo — or an attacker — to send a password reset code to be sent to the email of the attacker, permitting an account takeover.

Hostgator, meanwhile, suffered from several vulnerabilities, including a similar CSRF flaw that tricked countermeasures to prevent a cross-site script from running, which allowed him to add, edit or modify any data in the victim’s profile, such as an email address that could be used to reset the user’s password.

Yibelo also found several other lesser-likely but still serious flaws, allowing man-in-the-middle attacks on a local network — such as a public Wi-Fi hotspot.

OVH, meanwhile, had a similar flaw that allowed Yibelo to bypass its CSRF protections that allow him to add, change or edit user profile data. By using another vulnerability in its API, it could’ve allowed an attacker to fetch and read responses from OVH.

iPage had a similar one-click flaw that could be easily exploited because the web host doesn’t require an old or current password when resetting the account’s login details. That made it possible for an attacker to craft a malicious web address which, when clicked, would reset the password to one of the attacker’s choosing — allowing them to log in as that user.

Most of the web hosting companies also fixed other information and data-leaking flaws, also discovered by Yibelo.

All of the companies except OVH — which didn’t respond to a request for comment sent prior to publication — confirmed that the bugs were fixed.

Kristen Andrews, a spokesperson for Endurance, a web hosting company that owns Bluehost, Hostgator and iPage, said the company has “taken steps to address and patch the potential vulnerabilities in question,” but, when asked, did not say if the bugs had been exploited or if customer accounts or data had been compromised.

DreamHost, meanwhile, said it fixed the bugs “less than 48 hours later,” according to spokesperson Brett Dunst, and found no evidence to suggest anyone exploited the bug outside Yibelo’s testing.

“After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised,” he said. “The exploit would have required a logged-in DreamHost user to click a specially formatted malicious link to alter their own account’s contact information.”

It’s remarkable to think that of all the ways to break into a website, it often — as Yibelo showed — isn’t through any convoluted attack or busting firewalls. It’s simply through the front door of the site’s host, requiring little effort for the average hacker.