Researchers have discovered several one-click client-side vulnerabilities in the popular Bluehost web hosting platform. If exploited they would allow hackers to easily hijack accounts.
Immediately after Bluehost has been informed about the issue, declared that they are taking steps to address the vulnerabilities.
For those who don’t know Bluehost powers more than 2 million sites around the world according to its “About Us” page. Researchers have found multiple account takeover cyber attacks and information leak vulnerabilities in the platform.
In Bluehost, the CORS function doesn’t have appropriate filters in place for governing which websites should be allowed to access what data on the Bluehost hosted website. For example, if the browser that sends the request is coming from https://my.bluehost.com.EVIL.com, Bluehost would allow it because Bluehost only checked the first strings and didn’t consider what came after Bluehost.com.
Due to this misconfiguration, researchers were able to access various personally identifiable information (PII), such as name, location (city, street, state, country), phone number and ZIP code; partial payment details including expiration month and year, the last four digits of a card, the name on a card, card type, and payment method; and tokens that can give access to a user’s hosted WordPress, Mojo, SiteLock, and various OAuth-supported endpoints.
Besides the first flaw researchers have discovered another moderately-high one that if exploited it would allow the hacker to take over accounts because of improper JSON request validation, opening the door to cross-site request forgery (CSRF). The vulnerability allows hackers to change the email address of any Bluehost user to the address of their choice, and then reset the password using their new email to gain complete access to the victim’s account. The cyber attack is easily carried when a victim clicks a single malicious link or visits a single malicious website.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
A third one, a moderately high vulnerability can also be used to carry an account takeover because of cross-site scripting (XSS). Researchers say that this vulnerability allows a hacker to execute commands as the client on bluehost.com having the ability to change, modify and add content, including the email address.
The last discovered is a medium-severity one that happens because of improper CORS validation, which allows a man-in-the-middle attack to be carried out. This cyber attack makes the use of SSL certificate by Bluehost completely useless and defeats the whole purpose of using an HTTPS request in the first place.
The implications of such poor cybersecurity implementation can have devastating consequences, just imagine if a provider hosting a million sites around the world takes shortcuts to privacy and security, then many site visitors could be affected and, as a result, many site owners would find themselves in violation of new privacy laws.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.