A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies on the internet.
In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers — Bluehost, DreamHost, Hostgator, OVH and iPage. […]
All of the companies except OVH — which didn’t respond to a request for comment sent prior to publication — confirmed that the bugs were fixed. […]
Kristen Andrews, a spokesperson for Endurance, a web hosting company that owns Bluehost, Hostgator and iPage […] did not say if the bugs had been exploited or if customer accounts or data had been compromised.
DreamHost […] found no evidence to suggest anyone exploited the bug outside Yibelo’s testing. […]
It’s remarkable to think that of all the ways to break into a website, it often — as Yibelo showed — isn’t through any convoluted attack or busting firewalls. It’s simply through the front door of the site’s host, requiring little effort for the average hacker.