He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.

A researcher claims to have uncovered one-click client-side vulnerabilities in the popular Bluehost web hosting platform. These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.

Independent researcher and bug-hunter Paulos Yibelo, working with Website Planet, set up a testing site with Bluehost, which powers more than 2 million sites around the world according to its “About Us” page. He found multiple account takeover and information leak vulnerabilities in the platform, as well as a lack of password verification when changing account credentials.

The highest-severity problem that Yibelo uncovered was a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across their domains.

[...] A second, moderately-high flaw would allow account takeover because of improper JSON request validation, opening the door to cross-site request forgery (CSRF). The vulnerability allows attackers to change the email address of any Bluehost user to the address of their choice, and then reset the password using their new email to gain complete access to the victim’s account. The attack is executed when a victim clicks a single malicious link or visits a single malicious website, according to Yibelo.

[...] A third, also moderately high vulnerability would allow account takeover by way of cross-site scripting (XSS). Yibelo determined that this (demonstrated in a proof-of-concept, here [0]) is exacerbated by the fact that Bluehost does not require a current password when changing one’s email address, so an attacker can simply perform CSRF attack using this XSS vulnerability to take over any account; and, Bluehost doesn’t have any HttpOnly flags on sensitive cookies, which means any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to authenticate as the user.

[...] And finally, a medium-severity issue arises because of improper CORS validation, which allows a man-In-the-middle attack.

[...] Threatpost reached out to Bluehost for comment on the findings, and will update this post with any response.

[...] It’s worth noting the Bluehost isn’t alone here – Yibelo said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.