Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Hosting Sites Bluehost, DreamHost, Hostgator, OVH and iPage Were Vulnerable To Simple Account Takeover Hacks (techcrunch.com)

Posted by msmash on from the security-woes dept.

A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer's account from some of the largest web hosting companies on the internet. From a news report: In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers -- Bluehost, DreamHost, Hostgator, OVH and iPage. "All five had at least one serious vulnerability allowing a user account hijack," he told TechCrunch, with which he shared his findings before going public. The results of his vulnerability testing likely wouldn't fill customers with much confidence. The bugs, now fixed -- according to Yibelo's writeup -- represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base -- with the potential to go easily wrong. In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost's one million domains and OVH's four million domains -- totaling some seven million domains.

18 comments

  1. Could be worse by Gavagai80 · · Score: 2

    An attack that requires getting the victim to click a malicious link is far, far less serious than an attack which can be carried out without the victim's participation.

    With domain registration data available for most large clients on registrar WHOIS databases, most of the attacks would have relied on sending the domain owner a malicious link by email and hoping that they click.

    ^ And whois privacy makes the attack much less likely. These kinds of cross-site scripting attacks are basically one step above phishing.

    Should be fixed, but nothing to worry too much about.

    --
    This space intentionally left blank
    1. Re:Could be worse by Solandri · · Score: 1

      Not only that, but I've had 2FA on my Dreamhost account for years. Real 2FA, not "we'll send a text to your phone." To login to my account, I have to enter my username, password, and a rolling code generated by Authy that changes every 30 seconds. Resetting my password doesn't get you anything, other than inconveniencing me.

    2. Re:Could be worse by Anonymous Coward · · Score: 0

      An attack that requires getting the victim to click a malicious link is far, far less serious than an attack which can be carried out without the victim's participation.

      You must have missed the part about basic CSRF and XSS vulnerabilities... Sure targeted attacks could be harder, if we're talking about targeting one or a few security-conscious people, instead of even small companies, or clueless website owners, but mass-scale attacks are easy, and you'd probably end up with some access to a few large websites at least...

      But yes, if you logout of important websites every time (or use a different browser profile for them), largely filter ads, use NoScript, RequestPolicy, never click on unknown links from emails, have an updated browser/system, etc., the risk is low.

    3. Re:Could be worse by Anonymous Coward · · Score: 0

      Oh it's even easier than that. Just signup for an account, and login with SSH. You can stripmine all the wordpress sites people naively put on the system if you know where it's installed, which is pretty obvious in bulk hosting environments. I reported this stuff back to dreamhost years ago and got dismissed, because one of my firends sites were hacked with a rootkit and the rootkit could do exactly that.

      Captcha: Stupidly.

  2. Well.. by fluffernutter · · Score: 1

    This completely goes against the ultra-secure impression I had of shared web hosting companies!

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  3. Oh by Anonymous Coward · · Score: 0

    There was little danger of that happening, even though I am aware that there was a concerted effort to put violent Russian hackers on the street. Nice try it was never going to work that way

    1. Re: Oh by Anonymous Coward · · Score: 0

      Oops

  4. Not suprised by Anonymous Coward · · Score: 1

    Used to work for Bluehost, they fired most of the competent developers and off-shored the support. They were pretty slow on updating Red Hat as well.

    1. Re: Not suprised by Anonymous Coward · · Score: 0

      I used to work at another one of these companies. After EIG took over, things did not go in a happy direction. They kept all the fluff (free beer Fridays !) and fucked up whatever real assets the company had in it's culture , workforce, and products. I sold all the stock I got from the IPO immediately, and I have no regrets.

  5. That's nothing by Anonymous Coward · · Score: 0

    I always use SSH on all my hosting accounts and the number of security flaws I've found are really ridiculous.

    Hell even as we speak one of my shared hosts allows executing a non-standard location ps and it shows the full script execution parameters from other clients/users including --username=x --password=x from their web browser supplied FTP client. Which means you could already login with their credentials and at least delete or modify all their stuff. And this is a main hosting provider.

    1. Re: That's nothing by Anonymous Coward · · Score: 0

      It must be awful in other countries.imagine the poorest parts of China. You could have every password hacked in a day

    2. Re: That's nothing by Anonymous Coward · · Score: 0

      It must be awful in other countries.imagine the poorest parts of China. You could have every password hacked in a day

      Poorest parts of China don't even have electricity, much less internet access. Of course if you're living there you better get used to churning yak butter by hand.

    3. Re: That's nothing by Anonymous Coward · · Score: 0

      Hahaha my friend lives there. It is really boring

  6. Batch Botch iza Bitch by Tablizer · · Score: 1

    This completely goes against the ultra-secure impression I had of shared web hosting companies!

    You are probably being sarcastic, but this kind of thing will be an issue with "the cloud"; the cloud just being glorified web hosting.

    A single vulnerability will expose hundreds or more customers to mass attacks.

    However, this doesn't necessarily mean it's worse than self-hosted systems*, only that breaches may be more public because many other orgs will be in the same boat.

    It's kind of comparable to nuclear power: it's less illness and death per generated kilowatt on average, but failures tend to be quite public and "in batches" compared to the alternatives, creating public relations headaches.

    * Self-hosted systems can be more secure, but I don't trust the average company to do it right. I've worked for too many PHB's.

    --
    Table-ized A.I.
  7. It wuz haxx0rz, wif de hax! Haxx0rin! by Anonymous Coward · · Score: 0

    Just the usual content-free msmash-trash.

  8. OVH by devlp0 · · Score: 1

    I have a virtual host with OVH - pretty good specs, works fine and as cheap as chips!

    --
    >/dev/null 2>&1
    1. Re:OVH by Anonymous Coward · · Score: 0

      AMD or Intel chips?

  9. no surprise by Anonymous Coward · · Score: 0

    from the number of attempted attacks from hosting IP ranges, not really suprising.
    Especially as even if you send them a log showing the attack, you don't even get a reply, They need a good suing for being useless shits