Similar flaws were discovered in the Dreamhost, HostGator, OVH, and iPage web hosting platforms, according to him.
Several one-click client-side vulnerabilities have been discovered in the popular Bluehost web hosting platform by a researcher. According to the analysis, these would enable cybercriminals to easily carry out complete account takeovers.
Bluehost has acknowledged the issue and stated to Threatpost, “We are aware of Paulos’s research and have taken measures to address the potential vulnerabilities in question.”
Paulos Yibelo, an independent researcher and bug hunter, set up a testing site with Bluehost, which powers more than 2 million websites worldwide, according to its “About Us” page. Multiple account takeover and information leak vulnerabilities, as well as a lack of password verification when changing account credentials, were discovered in the platform.
Yibelo discovered a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across domains, as the most severe issue.
However, there are legitimate use cases for sending requests to other domains, such as the use of publicly accessible APIs that anyone can query – this is the purpose of CORS. Unfortunately, misconfigurations can allow a malicious domain to send requests to a legitimate domain, and the legitimate domain will respond, making data harvesting possible.
According to the researcher, Bluehost’s CORS function does not have the appropriate filters in place to govern which websites are permitted to access which Bluehost-hosted website data. In essence, any website with a Bluehost domain name (https://my.bluehost.com/) will permit another website with a Bluehost domain name to view its contents.
“For example, if the browser sending the request originates from https://my.bluehost.com.EVIL.com, Bluehost would permit it,” according to research published on Monday. “Bluehost only examined the initial strings and did not consider what followed Bluehost.com.” This means that malicious attackers could host a my.bluehost.com subdomain. EVILWEBSITE.com and [a legitimate Bluehost website] would permit EVILWEBSITE.com to access its content.”
During testing, Yibelo was able to access personally identifiable information (PII) such as name, location (city, street, state, and country), phone number, and ZIP code; partial payment details including expiration month and year, last four digits of a card, card name, card type, and payment method; and tokens that can grant access to a user’s hosted WordPress, Mojo, SiteLock, and various OAuth-supported endpoints.
A second, moderately severe flaw would permit account takeover due to improper JSON request validation, allowing cross-site request forgery (CSRF). The vulnerability allows attackers to change the email address of any Bluehost user to any address of their choosing and then reset the password using the new email address to gain complete account access. According to Yibelo, the attack is initiated when a victim clicks a single malicious link or visits a single malicious website.
According to the analysis, this vulnerability can be exploited due to misconfigurations in Bluehost’s handling and validation of requests. “When users attempt to modify their personal information, such as name, phone number, address, or email address, Bluehost sends [a request to the platform]” If you look closely, you will notice that this request does not include a unique token. This means that any website can send a request to a specific endpoint from another domain and modify your information.”
Typically, this attack would be thwarted due to its reliance on the Adobe Flash Player-dependent JSON format; however, Yibelo discovered that “special tricks and server misconfigurations” allow it to work in any browser without Flash:
Since browsers typically append = (equal sign) to the end of input names, we can manipulate the JSON to include the equal sign in FirstName and add the remaining values in the “value” attribute: organization”:null. The request will be sent with Content-Type: text/plain instead of application/JSON, but Bluehost doesn’t seem to mind, allowing our exploit to work cross-origin. Bluehost typically verifies that the referrer domain is bluehost.com; if it is not, Bluehost rejects the request with a 500 status code. This is easily circumvented by using Content=”no-referrer” in the meta tag, as Bluehost will permit the request if a no-referrer is sent.
The report explained, “This vulnerability allows an attacker to execute commands as the client on bluehost.com; this includes the ability to change, modify, and add content, including the email address.” “The attacker can read content about the victim, or change the content on their website when the victim clicks on a malicious link or visits a website.”
A man-in-the-middle attack is possible due to improper CORS validation, which is a medium-severity vulnerability.
Here, instead of not verifying the domain, Bluehost does not verify the scheme/protocol when allowing CORS to read its contents, allowing access via an HTTP domain request (i.e., the traffic is unencrypted).
This attack renders Bluehost’s SSL certificate completely useless and defeats the purpose of an HTTPS request in the first place, according to the report.
Notably, Bluehost is not alone in this regard; according to Yibelo, similar flaws were also discovered in the web hosting platforms of Dreamhost, HostGator, OVH, and iPage.
Mike Bittner, digital security and operations manager for The Media Trust, stated via email, “By giving scant regard to security and privacy, web-hosting platform providers unwittingly enable bad actors to steal consumer information and commit fraud.” “This lax approach places platform providers, their customers, and consumers in grave danger as consumer data privacy regulations around the world tighten and malicious actor attacks intensify. As every user of every website they host could be a target of cybercriminals, these service providers should incorporate security tests and enhancements into the product lifecycle. Imagine the number of site visitors who could be affected and the number of site owners who would violate new privacy laws if a provider hosting one million websites takes a haphazard approach to privacy and security.