Some of the world's most popular web hosting services were affected by serious security flaws that could have put millions of users at risk, reports have claimed.
Findings from a security researcher found that five major hosting providers suffered from shortcomings that could have allowed hackers to steal user information or even hijack accounts.
Sites including Bluehost, DreamHost, Hostgator, OVH and iPage were affected, according to researcher Paulos Yibelo, meaning around seven million accounts could have been hit.
“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch.
Web hosting security
Yibelo carried out a number of attacks on the five sites, finding that even relatively simple assaults were often successful.
Perhaps most worryingly, he found that iPage did not require an old or current password when resetting the account’s login details, meaning a hacker could gain access with a "one-click" attack by creating a malicious web address which, when clicked, would reset the password to whatever the attacker wanted.
The attacks were particularly effective when combined with a targeted spear-phishing campaign targeting high-profile users, Yibelo added.
A spokesperson for Endurance, the owner of Bluehost, Hostgator and iPage, said the company has “taken steps to address and patch the potential vulnerabilities in question,” but could not confirm if user accounts or data had been compromised.
DreamHost said it had fixed the bugs within 48 hours, and could not find evidence of user accounts being affected.
“After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised,” DreamHost spokesperson Brett Dunst said. “The exploit would have required a logged-in DreamHost user to click a specially formatted malicious link to alter their own account’s contact information.”
- The best web hosting service for you website in 2019
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.