World's largest web hosting sites hit by security fears

Some of the world's most popular web hosting services were affected by serious security flaws that could have put millions of users at risk, reports have claimed.

Findings from a security researcher found that five major hosting providers suffered from shortcomings that could have allowed hackers to steal user information or even hijack accounts.

Sites including Bluehost, DreamHost, Hostgator, OVH and iPage were affected, according to researcher Paulos Yibelo, meaning around seven million accounts could have been hit.

“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch.

Web hosting security

Yibelo carried out a number of attacks on the five sites, finding that even relatively simple assaults were often successful.

This included embedding malicious JavaScript on a Bluehsot page populated by pet pictures that would allow a hacker to inject their own personal information and lock out the original user.

Perhaps most worryingly, he found that iPage did not require an old or current password when resetting the account’s login details, meaning a hacker could gain access with a "one-click" attack by creating a malicious web address which, when clicked, would reset the password to whatever the attacker wanted.

The attacks were particularly effective when combined with a targeted spear-phishing campaign targeting high-profile users, Yibelo added.

A spokesperson for Endurance, the owner of Bluehost, Hostgator and iPage, said the company has “taken steps to address and patch the potential vulnerabilities in question,” but could not confirm if user accounts or data had been compromised. 

DreamHost said it had fixed the bugs within 48 hours, and could not find evidence of user accounts being affected.

“After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised,” DreamHost spokesperson Brett Dunst said. “The exploit would have required a logged-in DreamHost user to click a specially formatted malicious link to alter their own account’s contact information.”

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.