Some of the world's most popular web hosting services were affected by serious security flaws that could have put millions of users at risk, reports have claimed.
Findings from a security researcher found that five major hosting providers suffered from shortcomings that could have allowed hackers to steal user information or even hijack accounts.
Sites including Bluehost, DreamHost, Hostgator, OVH and iPage were affected, according to researcher Paulos Yibelo, meaning around seven million accounts could have been hit.
“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch.
Web hosting security
Yibelo carried out a number of attacks on the five sites, finding that even relatively simple assaults were often successful.
Perhaps most worryingly, he found that iPage did not require an old or current password when resetting the account’s login details, meaning a hacker could gain access with a "one-click" attack by creating a malicious web address which, when clicked, would reset the password to whatever the attacker wanted.
The attacks were particularly effective when combined with a targeted spear-phishing campaign targeting high-profile users, Yibelo added.
A spokesperson for Endurance, the owner of Bluehost, Hostgator and iPage, said the company has “taken steps to address and patch the potential vulnerabilities in question,” but could not confirm if user accounts or data had been compromised.
DreamHost said it had fixed the bugs within 48 hours, and could not find evidence of user accounts being affected.
“After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised,” DreamHost spokesperson Brett Dunst said. “The exploit would have required a logged-in DreamHost user to click a specially formatted malicious link to alter their own account’s contact information.”
- The best web hosting service for you website in 2019