Skip to main content

Top web hosting services have major security flaws

(Image credit: Image Credit: Welcomia / Shutterstock)

Security researcher Paulos Yibelo tested five of the world's biggest web hosting services for flaws and unveiled that all five were vulnerable. Not just 'vulnerable', but in fact so flawed that data mining and account takeover wouldn't even require breaking a sweat.

Roughly a dozen flaws were uncovered, some so simple as just a click on a link.

The hosting services that were analysed were Bluehost, DreamHost, Hostgator, OVH and iPage. That amounts to roughly seven million domains. Apparently, they patched up the flaw before the information went public. OVH is yet to confirm, as the service is still quiet on the matter.

“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch (opens in new tab).

According to Yibelo, the flaws are the result of aging infrastructure, complicated back-end systems and companies with massive user databases.

We're yet to learn if anyone took advantage of the flaws or not. DreamHost claims nobody exploited the bug, while the spokesperson for Bluehost, Hostgator and iPage did not answer the question.

Different services were vulnerable to different types of attack. For Bluehost, a malicious JavaScript was embedded in a web page, and a soon as a user would click on the link, the hidden JavaScript would activate on the page and inject the attacker’s own profile information into the victim’s account. The only prerequisite is that the victim is logged into Bluehost.

The full breakdown of all five hosting services and their vulnerabilities can be found on this link (opens in new tab).

Image Credit: Welcomia / Shutterstock

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.