Bluehost, A Popular Web Hosting Platform, Is Riddled With Flaws

Similar flaws were discovered in the Dreamhost, HostGator, OVH, and iPage web hosting platforms, according to him.


Several one-click client-side vulnerabilities have been discovered in the popular Bluehost web hosting platform by a researcher. According to the analysis, these would enable cybercriminals to easily carry out complete account takeovers.

Bluehost has acknowledged the issue and stated to Threatpost, “We are aware of Paulos’s research and have taken measures to address the potential vulnerabilities in question.”

Paulos Yibelo, an independent researcher and bug hunter, set up a testing site with Bluehost, which powers more than 2 million websites worldwide, according to its “About Us” page. Multiple account takeover and information leak vulnerabilities, as well as a lack of password verification when changing account credentials, were discovered in the platform.

Yibelo discovered a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across domains, as the most severe issue.

Generally speaking, JavaScript that is running on one domain can only read data from that domain (known as the “same origin policy”); this prevents a website from being weaponized to, for example, spy on a user’s email activity in another tab of his or her browser. Without such segregation, malicious code lurking on one of the user’s open websites could easily harvest data from any of the other open websites.

However, there are legitimate use cases for sending requests to other domains, such as the use of publicly accessible APIs that anyone can query – this is the purpose of CORS. Unfortunately, misconfigurations can allow a malicious domain to send requests to a legitimate domain, and the legitimate domain will respond, making data harvesting possible.

According to the researcher, Bluehost’s CORS function does not have the appropriate filters in place to govern which websites are permitted to access which Bluehost-hosted website data. In essence, any website with a Bluehost domain name ( will permit another website with a Bluehost domain name to view its contents.

“For example, if the browser sending the request originates from, Bluehost would permit it,” according to research published on Monday. “Bluehost only examined the initial strings and did not consider what followed” This means that malicious attackers could host a subdomain. and [a legitimate Bluehost website] would permit to access its content.”

During testing, Yibelo was able to access personally identifiable information (PII) such as name, location (city, street, state, and country), phone number, and ZIP code; partial payment details including expiration month and year, last four digits of a card, card name, card type, and payment method; and tokens that can grant access to a user’s hosted WordPress, Mojo, SiteLock, and various OAuth-supported endpoints.

A second, moderately severe flaw would permit account takeover due to improper JSON request validation, allowing cross-site request forgery (CSRF). The vulnerability allows attackers to change the email address of any Bluehost user to any address of their choosing and then reset the password using the new email address to gain complete account access. According to Yibelo, the attack is initiated when a victim clicks a single malicious link or visits a single malicious website.

According to the analysis, this vulnerability can be exploited due to misconfigurations in Bluehost’s handling and validation of requests. “When users attempt to modify their personal information, such as name, phone number, address, or email address, Bluehost sends [a request to the platform]” If you look closely, you will notice that this request does not include a unique token. This means that any website can send a request to a specific endpoint from another domain and modify your information.”

Typically, this attack would be thwarted due to its reliance on the Adobe Flash Player-dependent JSON format; however, Yibelo discovered that “special tricks and server misconfigurations” allow it to work in any browser without Flash:

Since browsers typically append = (equal sign) to the end of input names, we can manipulate the JSON to include the equal sign in FirstName and add the remaining values in the “value” attribute: organization”:null. The request will be sent with Content-Type: text/plain instead of application/JSON, but Bluehost doesn’t seem to mind, allowing our exploit to work cross-origin. Bluehost typically verifies that the referrer domain is; if it is not, Bluehost rejects the request with a 500 status code. This is easily circumvented by using Content=”no-referrer” in the meta tag, as Bluehost will permit the request if a no-referrer is sent.

A third, also moderately high vulnerability would allow account takeover by way of cross-site scripting (XSS) (XSS). Bluehost does not require a current password when changing one’s email address, so an attacker can simply perform a CSRF attack using this XSS vulnerability to take over any account; and, Bluehost does not have any HttpOnly flags on sensitive cookies, which means that any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to take over the victim’s account.

The report explained, “This vulnerability allows an attacker to execute commands as the client on; this includes the ability to change, modify, and add content, including the email address.” “The attacker can read content about the victim, or change the content on their website when the victim clicks on a malicious link or visits a website.”

A man-in-the-middle attack is possible due to improper CORS validation, which is a medium-severity vulnerability.

Here, instead of not verifying the domain, Bluehost does not verify the scheme/protocol when allowing CORS to read its contents, allowing access via an HTTP domain request (i.e., the traffic is unencrypted).

This attack renders Bluehost’s SSL certificate completely useless and defeats the purpose of an HTTPS request in the first place, according to the report.

Notably, Bluehost is not alone in this regard; according to Yibelo, similar flaws were also discovered in the web hosting platforms of Dreamhost, HostGator, OVH, and iPage.

Mike Bittner, digital security and operations manager for The Media Trust, stated via email, “By giving scant regard to security and privacy, web-hosting platform providers unwittingly enable bad actors to steal consumer information and commit fraud.” “This lax approach places platform providers, their customers, and consumers in grave danger as consumer data privacy regulations around the world tighten and malicious actor attacks intensify. As every user of every website they host could be a target of cybercriminals, these service providers should incorporate security tests and enhancements into the product lifecycle. Imagine the number of site visitors who could be affected and the number of site owners who would violate new privacy laws if a provider hosting one million websites takes a haphazard approach to privacy and security.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
20 Million Users Download Shady Reward Apps From Google Play

January 29, 2023

More than 20 million devices have downloaded a new category of activity-tracking applications from Google Play, Android’s official app store, in recent months. The applications promote themselves as health, pedometer, and good habit-building applications, promising users random rewards for remaining…

APT Lazarus Aims Mac Malware at Engineers

August 17, 2022

The North Korean APT is conducting a cyberespionage campaign against users of Apple and Intel-based systems using a bogus Coinbase job posting. The North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign aimed at engineers…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of