Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT Technology

Web Hosting Sites Bluehost, DreamHost, Hostgator, OVH and iPage Were Vulnerable To Simple Account Takeover Hacks (techcrunch.com) 18

A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer's account from some of the largest web hosting companies on the internet. From a news report: In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers -- Bluehost, DreamHost, Hostgator, OVH and iPage. "All five had at least one serious vulnerability allowing a user account hijack," he told TechCrunch, with which he shared his findings before going public. The results of his vulnerability testing likely wouldn't fill customers with much confidence. The bugs, now fixed -- according to Yibelo's writeup -- represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base -- with the potential to go easily wrong. In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost's one million domains and OVH's four million domains -- totaling some seven million domains.
This discussion has been archived. No new comments can be posted.

Web Hosting Sites Bluehost, DreamHost, Hostgator, OVH and iPage Were Vulnerable To Simple Account Takeover Hacks

Comments Filter:
  • by Gavagai80 ( 1275204 ) on Monday January 14, 2019 @04:37PM (#57961816) Homepage

    An attack that requires getting the victim to click a malicious link is far, far less serious than an attack which can be carried out without the victim's participation.

    With domain registration data available for most large clients on registrar WHOIS databases, most of the attacks would have relied on sending the domain owner a malicious link by email and hoping that they click.

    ^ And whois privacy makes the attack much less likely. These kinds of cross-site scripting attacks are basically one step above phishing.

    Should be fixed, but nothing to worry too much about.

    • Not only that, but I've had 2FA on my Dreamhost account for years. Real 2FA, not "we'll send a text to your phone." To login to my account, I have to enter my username, password, and a rolling code generated by Authy that changes every 30 seconds. Resetting my password doesn't get you anything, other than inconveniencing me.
  • This completely goes against the ultra-secure impression I had of shared web hosting companies!
    • This completely goes against the ultra-secure impression I had of shared web hosting companies!

      You are probably being sarcastic, but this kind of thing will be an issue with "the cloud"; the cloud just being glorified web hosting.

      A single vulnerability will expose hundreds or more customers to mass attacks.

      However, this doesn't necessarily mean it's worse than self-hosted systems*, only that breaches may be more public because many other orgs will be in the same boat.

      It's kind of comparable to nuclear power

  • by Anonymous Coward

    Used to work for Bluehost, they fired most of the competent developers and off-shored the support. They were pretty slow on updating Red Hat as well.

  • by devlp0 ( 897273 )
    I have a virtual host with OVH - pretty good specs, works fine and as cheap as chips!

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...