How secure is your website? This week brings worrying news about how easy it is to take over accounts at the biggest web hosting providers.
Or, at least, was easy—because the providers concerned all say the vulnerabilities are now fixed. But it’s fair to say the issues were trivial to exploit.
So are these just the tip of a very large iceberg? In this week’s Security Blogwatch, we cross the sites.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: $£€¥₨₮₦₽₱฿₴₫₩₭₪؋﷼ …
Because of CORS they were
What’s the craic, Zack? Mister Whittaker writes Some of the biggest web hosting sites were vulnerable to simple account takeover hacks:
A security researcher has found … a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies … Bluehost, DreamHost, Hostgator, OVH and iPage.
…
The bugs … represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base — with the potential to go easily wrong. … [They] could have been used to target any [owner of] some seven million domains.
…
In the case of Bluehost … a cross-site request forgery (CSRF) flaw … allows the attacker to modify data on the server … while the victim is none the wiser. … The attacker can request a new password … and take over the account. … OVH, meanwhile, had a similar flaw that allowed Yibelo to bypass its CSRF protections.
…
A cross-site scripting (XSS) attack … could instantly swap out a DreamHost account owner’s email address … permitting an account takeover. … iPage had a similar one-click flaw.
…
All of the companies except OVH — which didn’t respond to [me] — confirmed that the bugs were fixed. … It’s remarkable to think that of all the ways to break into a website, it often [requires] little effort.
Sounds like a big case of CORS FAIL. Bill Toulas has Account Takeover Vulnerabilities:
[He] tested the [cross-origin resource sharing] policy of Bluehost and found that it accepts vague values while considering only parts of the strings sent. This is an obvious case of ‘loose’ CORS policy that makes the bypassing of filters by attackers easier.
…
It is possible to change the email address of the registered user and then reset the password, essentially taking over the account. This is achieved through a vulnerability … that allows certain requests to be processed without validation. … The same information leak problems through CORS misconfigurations and API communication was found in HostGator.
…
[This] is alarming, to say the least.
Who discovered this mess of vulns? Paulos Yibelo Tested 5 Popular Web Hosting Companies:
Unfortunately, we found at least one client-side vulnerability in all the platforms we tested, allowing account takeover when the victim clicks a link or visits a malicious website.
…
Out of the five web hosts we tested, we found that all can be easily hacked. This means that no matter which hosting service you use, you should always be sure to take additional measures to enhance your website’s security.
Ouch. What can we do to protect ourselves from similar vulnerabilities? Be like Solandri:
I've had 2FA on my Dreamhost account for years. Real 2FA, not "we'll send a text to your phone."
…
I have to enter my username, password, and a rolling code generated by Authy that changes every 30 seconds. Resetting my password doesn't get you anything, other than inconveniencing me.
Who else can advise? bariscan can: [You’re fired—Ed.]
observatory.mozilla.org can tell you if your site is vulnerable to these sorts of attacks. I end up setting the correct headers and the warnings go away.
…
One thing that is bugging me though: Let’s say I am setting up a nextcloud instance behind a reverse proxy. The way I have been doing it I have had to manually set the right headers in my nginx conf. But this doesn’t seem right. … Is there someway of telling nginx to pass along the backend’s headers?
Cue an inevitable flood of comments from ex-employees of hosting companies. Such as this Anonymous Coward:
Used to work for Bluehost, they fired most of the competent developers and off-shored the support.
And this one:
After EIG took over, things did not go in a happy direction. They kept all the fluff (free beer Fridays!) and ****ed up whatever real assets the company had in its culture, workforce, and products. I sold all the stock I got from the IPO immediately, and I have no regrets.
But yet another Anonymous Coward says there are plenty of other known bugs that exist to this day:
Oh it's even easier than that. Just signup for an account, and login with SSH. You can stripmine all the wordpress sites people naively put on the system if you know where it's installed, which is pretty obvious.
…
I reported this stuff back to dreamhost years ago and got dismissed, because one of my friends' sites were hacked with a rootkit and the rootkit could do exactly that.
Surely an isolated case? Not according to yet another:
I always use SSH on all my hosting accounts and the number of security flaws I've found are really ridiculous.
…
Even as we speak one of my shared hosts allows executing a non-standard location ps and it shows the full script execution parameters from other clients/users including --username=x --password=x. … Which means you could already login with their credentials and at least delete or modify all their stuff. And this is a main hosting provider.
In fact, it’s the tip of a huge iceberg, according to @adamd11:
Very important research. I've been reporting CPanel takeovers to literally all of these hosting companies.
Something definitely needs to change here. Well done.
The moral of the story?
Could your data center be described as “aging infrastructure, complicated and sprawling web-based back-end systems”? And if you use a hosting company, enable 2FA and don’t stay logged in!
And finally …
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Fabio Lanari (cc:by-sa)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
