Popular Web-Hosting Platform Bluehost Riddled with Flaws

bluetooth security vulnerabilities

He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.


A researcher has uncovered several one-click client-side vulnerabilities in the popular Bluehost web hosting platform. These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.

Bluehost has acknowledged the issue, and told Threatpost, “We are aware of Paulos’ research and we’ve taken steps to address the potential vulnerabilities in question.”

Independent researcher and bug-hunter Paulos Yibelo, working with Website Planet, set up a testing site with Bluehost, which powers more than 2 million sites around the world according to its “About Us” page. He found multiple account takeover and information leak vulnerabilities in the platform, as well as a lack of password verification when changing account credentials.

The highest-severity problem that Yibelo uncovered was a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across their domains.

Generally speaking, JavaScript that is running on one domain can only read data from that specific domain (known as the “same origin policy”); this prevents a website from being weaponized to, say, snoop on what a user is doing in another tab in his or her browser, such as email. Without such sequestration, malicious code lurking on one website that the user has open could be used to easily harvest data from any other website opened in the browser.

However, there are legitimate use cases for sending requests to other domains, such as the use of public APIs that allow anyone to query them – this is the purpose of CORS. Unfortunately, misconfigurations can allow a domain controlled by a malicious party to send requests to a legitimate domain – and the legitimate domain will answer, opening the door to data harvesting.

In Bluehost, Yibelo said that the CORS function doesn’t have appropriate filters in place for governing which websites should be allowed to access what data on the Bluehost hosted website, according to the researcher. Essentially, any website with a Bluehost domain name (https://my.bluehost.com/) will allow another website with a Bluehost domain name to read its contents.

“For instance, if the browser that sends the request is coming from https://my.bluehost.com.EVIL.com, Bluehost would allow it,” according to the research, posted Monday. “Bluehost only checked the first strings and didn’t consider what came after Bluehost.com. This means malicious attackers could host a subdomain called my.bluehost.com.EVILWEBSITE.com and [a legitimate Bluehost website] would allow EVILWEBSITE.com to read its contents.”

In testing, Yibelo was able to access various personally identifiable information (PII), such as name, location (city, street, state, country), phone number and ZIP code; partial payment details including expiration month and year, the last four digits of a card, the name on a card, card type and payment method; and tokens that that can give access to a user’s hosted WordPress, Mojo, SiteLock and various OAuth-supported endpoints.

A second, moderately-high flaw would allow account takeover because of improper JSON request validation, opening the door to cross-site request forgery (CSRF).  The vulnerability allows attackers to change the email address of any Bluehost user to the address of their choice, and then reset the password using their new email to gain complete access to the victim’s account. The attack is executed when a victim clicks a single malicious link or visits a single malicious website, according to Yibelo.

“This vulnerability can be exploited because of certain misconfigurations in Bluehost’s handling of requests and validating them,” according to the analysis. “When users try to change their personal details, such as name, phone number, address or email, Bluehost sends [a request to the platform to do so]. If you look carefully, you will notice there is no unique token sent with that request. This means any website can actually send the request to that specific endpoint cross-origin, and change your details.”

Normally this attack would be thwarted because it uses the Adobe Flash Player-dependent JSON; but Yibelo found that “special tricks and server misconfigurations” allow it to work in any browser, without using Flash:

Since browsers normally add = (equal sign) at the end of the input name, we can manipulate the JSON to include the equal sign in FirstName, and add the remaining values in the “value” attribute: organization”:null}. The request will be sent with Content-Type: text/plain and not application/json – but Bluehost doesn’t mind that, which makes our exploit work cross-origin. Normally, Bluehost checks if the referrer domain is bluehost.com – if the request is sent from any other website, Bluehost will reject the request with a 500 response. This can easily be bypassed by using Content=”no-referrer” in the meta tag, because if no-referrer is sent, Bluehost will allow the request.

A third, also moderately high vulnerability would allow account takeover by way of cross-site scripting (XSS). Yibelo determined that this (demonstrated in a proof-of-concept, here) is exacerbated by the fact that Bluehost does not require a current password when changing one’s email address, so an attacker can simply perform CSRF attack using this XSS vulnerability to take over any account; and, Bluehost doesn’t have any HttpOnly flags on sensitive cookies, which means any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to authenticate as the user.

“This vulnerability allows an attacker to execute commands as the client on bluehost.com – this means the ability to change, modify and add content, including the email address,” the report explained. “The attacker can read content about the victim, or change the content on their website when the victim clicks on a malicious link or visits a website.”

A video of the attack can be seen, here.

And finally, a medium-severity issue arises because of improper CORS validation, which allows a man-In-the-middle attack.

Here, instead of not verifying the domain, Bluehost doesn’t verify the scheme/protocol when allowing CORS to read its contents, meaning that it will allow access by an HTTP domain request (i.e., the traffic is unencrypted).

“This downgrade attack makes the use of SSL certificate by Bluehost completely useless and defeats the whole purpose of using an HTTPS request in the first place,” the report noted.

It’s worth noting the Bluehost isn’t alone here – Yibelo said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.

“By paying scant attention to security and privacy, web-hosting platform providers unknowingly enable bad actors to steal consumer information and commit fraud,” said Mike Bittner, digital security and operations manager for The Media Trust, via email. “This lax approach puts platform providers, their customers, and consumers at grave risk as consumer data privacy regulations around the world tighten on the one hand and attacks by malicious actors intensify on the other. Such providers should build security tests and enhancements into the product lifecycle, as every user of each site they host could be victimized by cyber thieves and fraudsters. If a provider hosting a million sites around the world takes a slapdash approach to privacy and security, imagine how many site visitors could be affected and, as a result, how many site owners would find themselves in violation of new privacy laws.”

This post was updated at 11:55 a.m. EST to reflect a response from Bluehost, and a comment from The Media Trust.

Suggested articles


  • Stuart Liedtke on

    I've been moving clients to an otherwise unknown platform for 10 years as I saw this and actually read about it back when Linode was coming of age.... because just maybe web designers and business owners really should have never put their toes in the hosting wetlands of server farms to begin with. Ok it's a mouthful, but being a specialist in these kind of takeovers and dragging the bloat into a neat Linux (Ubuntu) powered 80GBps infiniband network with an NGINX webserver at a whopping $40-$500 a month (fully managed) is actually less cost than fiddling around on a sad slice of a machine that can't keep up with any load over what the cpanel is putting on the entire network (it's just a bad tenant infrastructure) notwithstanding the CORS, XSS and other serious wake up calls this post covers. $40 a month!!! Man you must have gone right round the bend. Well listen up, the last time I heard a person who was in business saying nah, I don't want domain email for $5/address and $6 bucks is all I'll pay for hosting... isn't really in business after all. Are they? If you can build a resilient network without a control panel and teach a CMS to an employee, or just run it for them content and all. It's a great business model and it happens to work. I built on being a beta tester with Cloudflare and later on became a Cloudflare Certified Partner and build on the Profitbricks (IONOS) Platform in the Las Vegas Supernap & German Data Centers. I can't tell you how many thanks we get from folks coming from Bluehost and others basically "What a breath of fresh air not having to deal with those people" (sorry but their support agents are not at all pro's in their fields either. Cheers for a solid view of the levers behind the curtain exposed by your article.
  • LanceScurv on

    Last night I just completed migrating my blog from Bluehost to another offshore hosting company as my blog with Bluehost continued to crash leaving it down 70 percent of the time because of the same continuous issue! I’ve been with Bluehost for 9 years but enough is enough! At one time I would recommend them to everyone but now I would tell anyone to avoid them like the PLAGUE! The final straw was having an associate try to infer that I was the reason that the site was down when in fact it was the fault of Bluehost as the SIX crashes that I experienced since early November of 2018 was documented in their computers right in front of her face! Good Riddance Bluehost, my you get your just due!
  • David Brookfield on

    So, I'm in agreement with Stuart here, But here is my story, I'm working on a problem for a client of mine that had their Bluehost account hacked, thank goodness they didn't use them as a web hosting platform and are with a serious outfit siteground.co.uk but sadly for them they had their business email with Bluehost. This is the anatomy of what happened, Friday the 11th they lose access to their IMAP email, they're not sure what has happened and try to login to their control panel and they can't. They contact Bluehost support and this is the very sorry story at this point this is normal behaviour right? 1pm Friday they go to contact support, it's urgent they have all lost their email except for one account, so they need to call. Bluehost only have a US number to call despite being an international company. They speak to a support agent tell them the problem, the support agent tells them that their account details have been changed and that the password and email address have been changed out and that account user email has been swapped out to a gmail address. So my client tells them we didn't do this and the agent agrees it looks suspicious. My client asks for it to be changed back. He can't do this it needs to be escalated. Why's that? Well we need to protect the account, what do you mean, it's our account. The story goes on and on my client can prove they have paid for the service, they can prove who they are, but because the company this account was created for was 18 years ago and it went into liquidation there s no company certificate. But because this is the UK and we have an open, honest and transparent company formation that's ok we can get the liquidation letter with the name of the owner at the time, this matches the purchases details and the identification. However bluehost refuse to accept this, because this information is publicly available. They need something else, despite that this information would be good enough for UK law enforcement and or our own tax HMRC, but here is the thing HMRC will only printout what is on the website. The circle goes on. Bluehost just isn't fit for purpose. No Two-factor authentication, they don't even email the owner account.. The saddest part of this, if you would expect an ethical company to work with its client, not to compound the problem. It's also a salient point for anyone that needs hosting or any tech services, the way to rate a company is not how things go when things are working, it's how they respond when things aren't working. BlueHost, are a massive fail where this is concerned. So my client has no option but to move their email to another service, they've lost 1 weeks of email. But here is the kicker the simple fact they can move name servers and the whois information is the same as the clients, should be proof enough of domain ownership. Just another case of a US Based Hosting company with security that isn't fit for purpose and archaic rules that don't apply to a modern world.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.