Security researchers have discovered a number of flaws in popular website hosting platforms that could enable hackers to easily take over websites.
According to a report by Website Planet, security researcher Paulos Yibelo found flaws in Bluehost, Dreamhost, HostGator, OVH and iPage.
On Bluehost, it was found that the platform leaked information through CORS Misconfigurations. Bluehost uses cross-origin-resource-sharing (CORS) to share resources across their domains. CORS is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers.
"In Bluehost’s case, we saw a loose regular expression that accepted vague values. For instance, if the browser that sends the request is coming from https://my.bluehost.com.evil[dot]com, Bluehost would allow it," the report said.
It added: "Browsing through Bluehost, the API endpoint returns very ‘juicy’ information – from personally identifiable information to technical endpoints that can leak various tokens to takeover a Bluehost hosted account."
The researcher also showed that Bluehost had a flaw that enabled hackers to take over an account because of improper JSON request validation CSRF. There was also the possibility of a man-in-the-middle attack because of improper validation of CORS scheme.
Dreamhost was also found to have a vulnerability that allows an attacker to easily change the victim’s email or password to whatever they desire when the victim visits a link or a malicious website via a XSS attack.
Hostgator had a flaw that meant an attacker could add, edit, or change any value in the victim’s profile, including the email address and personal information, when a victim clicks on a link or visits a malicious website. This sitewide CSRF protection bypass attack could enable a hacker to gain control of a website.
OVH had a CSRF protection bypass flaw that meant a hacker could add, edit or change any value in the victim’s profile, including email address and personal information, when an authenticated victim clicks on a link or visits a malicious website. There were also API misconfigurations that allows any website to fetch and read API responses by OVH.
iPage was found to have a vulnerability that allows an attacker to remotely take over any iPage account, when the victim simply clicks a link or visits a website.
"This vulnerability is due to a weird feature iPage has in their Change Password page. iPage doesn’t require your old/current password to change your password, and there are no unique tokens associated with the request," said the report. "This means any website can send a cross-origin request with a new password to iPage, with the victim’s username, and iPage will change their password to whatever the attacker likes."
Graham Marcroft , operations and compliance director at Hyve Managed Hosting, told SC Media UK that if attacked this way, organisations should lock down the site. Do not allow any inbound traffic at all, secure the firewall, have an online presence but make it purely that, an online presence.
"This gives the company time to take stock and assess the situation. GDPR lays down strict guidelines on what to do in the event of a data breach and this should be the organisation’s first concern – they absolutely must find out if there has been a breach. If so, don’t hide it, follow the ICO guidelines, take the PR hit. It won’t be anywhere near as big as the PR hit the company would take if it is discovered that they tried to hide the breach," he said.
Tim Callan, senior fellow at Sectigo, told SC Media UK that certificate automation and management is one way organisations can defend against this kind of risk.
"A certificate automation tool can monitor and replace expiring certificates, give visibility on the certificates in use, and even discover new certificates before an unexpected expiration can cause a problem, reducing the risk of lost revenue, data loss, and financial penalties for outages or security breaches. All enterprises should evaluate how certificate automation can help keep security and service levels at their peak," he said.