Popular Web-Hosting Platform Bluehost Riddled along with Flaws #Bluehost_Com

Popular Web-Hosting Platform Bluehost Riddled along with Flaws #Bluehost_Com

February 12, 2019 0 By NewsTakers

A researcher has uncovered several one-click client-side vulnerabilities in the popular Bluehost web hosting platform.
These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.
Without such sequestration, malicious code lurking on one website that the user has open could be used to easily harvest data from any other website opened in the browser.
Essentially, any website with a Bluehost domain name ( https://my.bluehost.com/ ) will allow another website with a Bluehost domain name to read its contents.
A second, moderately-high flaw would allow account takeover because of improper JSON request validation, opening the door to cross-site request forgery (CSRF).
This means any website can actually send the request to that specific endpoint cross-origin, and change your details.”
Normally, Bluehost checks if the referrer domain is bluehost.com – if the request is sent from any other website, Bluehost will reject the request with a 500 response.
Yibelo determined that this (demonstrated in a proof-of-concept, here ) is exacerbated by the fact that Bluehost does not require a current password when changing one’s email address, so an attacker can simply perform CSRF attack using this XSS vulnerability to take over any account; and, Bluehost doesn’t have any HttpOnly flags on sensitive cookies, which means any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to authenticate as the user.
“This vulnerability allows an attacker to execute commands as the client on bluehost.com – this means the ability to change, modify and add content, including the email address,” the report explained.
Here, instead of not verifying the domain, Bluehost doesn’t verify the scheme/protocol when allowing CORS to read its contents, meaning that it will allow access by an HTTP domain request (i.e., the traffic is unencrypted).

Source link