Skip to main content

Top web hosting services have major security flaws

(Image credit: Image Credit: Welcomia / Shutterstock)

Security researcher Paulos Yibelo tested five of the world's biggest web hosting services for flaws and unveiled that all five were vulnerable. Not just 'vulnerable', but in fact so flawed that data mining and account takeover wouldn't even require breaking a sweat.

Roughly a dozen flaws were uncovered, some so simple as just a click on a link.

The hosting services that were analysed were Bluehost, DreamHost, Hostgator, OVH and iPage. That amounts to roughly seven million domains. Apparently, they patched up the flaw before the information went public. OVH is yet to confirm, as the service is still quiet on the matter.

“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch.

According to Yibelo, the flaws are the result of aging infrastructure, complicated back-end systems and companies with massive user databases.

We're yet to learn if anyone took advantage of the flaws or not. DreamHost claims nobody exploited the bug, while the spokesperson for Bluehost, Hostgator and iPage did not answer the question.

Different services were vulnerable to different types of attack. For Bluehost, a malicious JavaScript was embedded in a web page, and a soon as a user would click on the link, the hidden JavaScript would activate on the page and inject the attacker’s own profile information into the victim’s account. The only prerequisite is that the victim is logged into Bluehost.

The full breakdown of all five hosting services and their vulnerabilities can be found on this link.

Image Credit: Welcomia / Shutterstock