Popular Web Hosting Platforms Contain Multiple Vulnerabilities

Paulos Yibelo, a researcher working with Website Planet, tested several popular web hosting platforms including Bluehost, Dreamhost, HostGator, and OVH, where he uncovered several vulnerabilities that allow for information stealing and account takeovers. A misconfiguration of cross-origin-resource-sharing (CORS) allows any Bluehost domain – even malicious subdomains – to access data of another Bluehost domain, potentially exposing personal and financial information. This was observed on HostGator as well. Improper JSON request validation allows for cross-site request forgeries (CSRF), in which a threat actor could change the email address of the host user via cross-site scripting (XSS) to any arbitrary email address and initiate a password reset, thereby gaining control of the entire account. Some of the hosts do not require current password input when changing an email address, or do not have the HttpOnly flag set on sensitive cookies, meaning cookies can be accessed by threat actors to use in authentication. Lastly, man-in-the-middle attacks let threat actors view unencrypted web traffic due to a lack of protocol validation. The NJCCIC recommends applying patches for each host if and when they become available. Detailed information on the vulnerabilities can be found in the Website Planet report.