3 min Security

Various hosting providers vulnerable to simple account hacks’.

Various hosting providers vulnerable to simple account hacks’.

Security researcher Paulos Yibelo revealed about ten bugs that made it very easy to steal sensitive information or to take over a customer’s account via hacks. The bugs were in some of the largest web hosting companies on the internet, reports TechCrunch.

In a number of cases it was enough to click on a simple link to take over an account from someone who used the five largest hosting providers. These were Bluehost, DreamHost, Hostgator, OVH and iPage. “All five had at least one serious vulnerability that could be used to take over an account,” says Yibelo. The vulnerabilities were reported before Yibelo made them public. The errors have also been solved.

The bugs could be used on the seven million domains that the providers host together. Most of Yibelo’s attacks were simple, but very effective when used in conjunction with a spearphishing campaign. Most of the data from a domain registration of large customers can be found on WHOIS databases. Most hacks would work by sending the domain owner a malicious link by e-mail and hoping that he would click on it.


In the case of Bluehost, Yibelo put rogue JavaScript on a page full of kittens or puppies. Once a logged in Bluehost user clicks on a link from an email or tweet to that page, the hidden JavaScript activates and injects the profile information of the attacker into the victim’s account – provided the victim is already logged in.

The hacker does this by abusing a cross-site request forgery (CSRF) problem. This allows the attacker to modify data on the server of his rogue website without the victim’s knowledge. This allows the attacker to request a new password that will be sent to the email address of the attacker, and thus take over the account.

Hostgator had multiple vulnerabilities, including a similar CSRF problem that caused countermeasures to stop a cross-site script from running to be disabled. This allowed Yibelo to modify all the data in a victim’s profile and to add data. This includes an e-mail address that can be used to reset the user’s password. The researcher also found vulnerabilities that allowed man-in-the-middle attacks on a local network.

OVH and iPage

OVH had a similar error that allowed Yibelo to bypass its CSRF protections, allowing him to add or modify data on a user’s profile here as well. By exploiting another vulnerability in the API, an attacker could also retrieve and read OVH responses.

iPage had the same kind of error that could easily be abused, because the web host did not require an old or current password when the login data was reset. This allowed an attacker to create a rogue web address, which resets the password to one that the attacker chooses when a victim clicks on it.

Most web hosting companies have fixed the errors. Only OVH did not respond to TechCrunch’s request. The other companies have confirmed that the problems have been solved.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.