This article originally appeared in Threatpost on January 16, 2019.
A researcher has uncovered several one-click client-side vulnerabilities in the popular Bluehost web hosting platform. These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.
Bluehost has acknowledged the issue, and told Threatpost, “We are aware of Paulos’ research and we’ve taken steps to address the potential vulnerabilities in question.”
Independent researcher and bug-hunter Paulos Yibelo, working with Website Planet, set up a testing site with Bluehost, which powers more than 2 million sites around the world according to its “About Us” page. He found multiple account takeover and information leak vulnerabilities in the platform, as well as a lack of password verification when changing account credentials.
The highest-severity problem that Yibelo uncovered was a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across their domains.
Generally speaking, JavaScript that is running on one domain can only read data from that specific domain (known as the “same origin policy”); this prevents a website from being weaponized to, say, snoop on what a user is doing in another tab in his or her browser, such as email. Without such sequestration, malicious code lurking on one website that the user has open could be used to easily harvest data from any other website opened in the browser.
However, there are legitimate use cases for sending requests to other domains, such as the use of public APIs that allow anyone to query them – this is the purpose of CORS. Unfortunately, misconfigurations can allow a domain controlled by a malicious party to send requests to a legitimate domain – and the legitimate domain will answer, opening the door to data harvesting.
In Bluehost, Yibelo said that the CORS function doesn’t have appropriate filters in place for governing which websites should be allowed to access what data on the Bluehost hosted website, according to the researcher. Essentially, any website with a Bluehost domain name (https://my.bluehost.com/) will allow another website with a Bluehost domain name to read its contents.
“For instance, if the browser that sends the request is coming from https://my.bluehost.com.EVIL.com, Bluehost would allow it,” according to the research, posted Monday. “Bluehost only checked the first strings and didn’t consider what came after Bluehost.com. This means malicious attackers could host a subdomain called my.bluehost.com.EVILWEBSITE.com and [a legitimate Bluehost website] would allow EVILWEBSITE.com to read its contents.”
In testing, Yibelo was able to access various personally identifiable information (PII), such as name, location (city, street, state, country), phone number and ZIP code; partial payment details including expiration month and year, the last four digits of a card, the name on a card, card type and payment method; and tokens that that can give access to a user’s hosted WordPress, Mojo, SiteLock and various OAuth-supported endpoints.
A second, moderately-high flaw would allow account takeover because of improper JSON request validation, opening the door to cross-site request forgery (CSRF). The vulnerability allows attackers to change the email address of any Bluehost user to the address of their choice, and then reset the password using their new email to gain complete access to the victim’s account. The attack is executed when a victim clicks a single malicious link or visits a single malicious website, according to Yibelo.
“This vulnerability can be exploited because of certain misconfigurations in Bluehost’s handling of requests and validating them,” according to the analysis. “When users try to change their personal details, such as name, phone number, address or email, Bluehost sends [a request to the platform to do so]. If you look carefully, you will notice there is no unique token sent with that request. This means any website can actually send the request to that specific endpoint cross-origin, and change your details.”
Normally this attack would be thwarted because it uses the Adobe Flash Player-dependent JSON; but Yibelo found that “special tricks and server misconfigurations” allow it to work in any browser, without using Flash:
Since browsers normally add = (equal sign) at the end of the input name, we can manipulate the JSON to include the equal sign in FirstName, and add the remaining values in the “value” attribute: organization”:null}. The request will be sent with Content-Type: text/plain and not application/json – but Bluehost doesn’t mind that, which makes our exploit work cross-origin. Normally, Bluehost checks if the referrer domain is bluehost.com – if the request is sent from any other website, Bluehost will reject the request with a 500 response. This can easily be bypassed by using Content=”no-referrer” in the meta tag, because if no-referrer is sent, Bluehost will allow the request.
A third, also moderately high vulnerability would allow account takeover by way of cross-site scripting (XSS). Yibelo determined that this (demonstrated in a proof-of-concept, here) is exacerbated by the fact that Bluehost does not require a current password when changing one’s email address, so an attacker can simply perform CSRF attack using this XSS vulnerability to take over any account; and, Bluehost doesn’t have any HttpOnly flags on sensitive cookies, which means any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to authenticate as the user.
“This vulnerability allows an attacker to execute commands as the client on bluehost.com – this means the ability to change, modify and add content, including the email address,” the report explained. “The attacker can read content about the victim, or change the content on their website when the victim clicks on a malicious link or visits a website.”
A video of the attack can be seen, here.
And finally, a medium-severity issue arises because of improper CORS validation, which allows a man-In-the-middle attack.
Here, instead of not verifying the domain, Bluehost doesn’t verify the scheme/protocol when allowing CORS to read its contents, meaning that it will allow access by an HTTP domain request (i.e., the traffic is unencrypted).
“This downgrade attack makes the use of SSL certificate by Bluehost completely useless and defeats the whole purpose of using an HTTPS request in the first place,” the report noted.
It’s worth noting the Bluehost isn’t alone here – Yibelo said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.
“By paying scant attention to security and privacy, web-hosting platform providers unknowingly enable bad actors to steal consumer information and commit fraud,” said Mike Bittner, digital security and operations manager for The Media Trust, via email. “This lax approach puts platform providers, their customers, and consumers at grave risk as consumer data privacy regulations around the world tighten on the one hand and attacks by malicious actors intensify on the other. Such providers should build security tests and enhancements into the product lifecycle, as every user of each site they host could be victimized by cyber thieves and fraudsters. If a provider hosting a million sites around the world takes a slapdash approach to privacy and security, imagine how many site visitors could be affected and, as a result, how many site owners would find themselves in violation of new privacy laws.”