
We tested popular web hosting companies and all were easily hacked - jcassee
https://www.websiteplanet.com/blog/report-popular-hosting-hacked/
======
tptacek
I'm less interested in how vulnerable Bluehost and Dreamhost are (of course
they are), and more interested in how good a writeup this is about finding
variants of and then weaponizing a handful of vulnerabilities most pros would
write off as sev:lo hygiene bugs. The form POST as JSON is particularly cute.
This is pretty great.

Here's a quick breakdown:

1\. Autogenerating CORS headers based on a regexp that can be tricked into
allowing <safe.org>.evil.org.

2\. A form POST encoded text/plain that gets interpreted as JSON to bypass
CSRF check.

3\. Using CORS origin check gaps to do an HTTP downgrade.

4\. XSS-ATO by email address changes (this is pretty vanilla).

5\. Sending “token[]=” to break PHP CSRF token check through type confusion.

6\. Breaking a different CORS generator by smuggling the whitelisted domain
into a ?urlparam=safe.org.

7\. Setting content-type=text/plain; application/json to fake out browser
check for JSON and bypassing CSRF at OVH.

8\. Some fiddly and not super interesting CSP bypasses.

~~~
ncc-erik
My go-to link for that class of issue is: [https://developer.mozilla.org/en-
US/docs/Web/HTTP/CORS#Simpl...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/CORS#Simple_requests)

It's usually a lot easier to write the PoC with fetch() though.

------
perlgeek
These seem to have been "technical" bugs, mostly in the client-server
communication of the self-service websites.

But hosting management also has a whole lot of potential for logical errors. I
work at a B2B ISP that is also a managed service provider, and every now and
then somebody calls for more self-service. I'm not against it, but it's full
of landmines.

It starts with such simple things as account creation. We allow accounts with
the appropriate roles to be used for several different customers, which means
we cannot namespace them by tenant.

We used to give accounts usernames based on the first and last name, but that
makes it very easy to leak which other accounts exists (when "John Doe"
becomes "johndoe4" instead of just "johndoe", you can infer the existence of
other accounts, and thus that other "John Doe"s are among our customer base).
We had to change that, which isn't as easy as it sounds for a company that has
been doing things a certain way for 25 years.

Potential logic errors and information leaks lurk in all places where you
cannot namespace things because they are not fully under your control, which
can be IP addresses (big customers bring their own address spaces, and IPv4
address space is too small for generous segmentation), Domains, email
addresses, phone numbers and so on.

~~~
BlueTemplar
Curious, shouldn't you have moved over to IPv6 at this point?

~~~
perlgeek
This a very heterogeneous business, aka "we do whatever the customer pays
for".

One customer has one or two whole /8 blocks of public IPs that they use even
for internal systems in our data centers. Others are IPv6 on the inside and
IPv4 public facing. Some are big layer 2 setups (which we internally route
through IPv6).

------
rhacker
Are the old hosting companies of the past still sharing the same disk with
other users? I remember going cd .. and seeing a bunch of folders in /home
from other users. If any one of those users used a chmod incorrectly I would
be able to access their shit. It is not super likely for most files but well
known files can be a problem. Beyond that, trusted CGI-BIN processes could
probably be used to get around security concerns (takes some work). I've been
wondering if many of these FTP/SSH/Hosting sites have since moved to docker or
some containerization tech.

All this assuming the hacker would use a gift card to get a paid account to
start.

~~~
ummonk
Standard containerization technology (e.g. docker) isn’t designed to sandbox
untrusted code.

~~~
inetknght
Do tell what is designed to sandbox untrusted code

~~~
jturpin
AWS Has written Firecracker for this purpose [https://firecracker-
microvm.github.io/](https://firecracker-microvm.github.io/)

------
optimiz3
Dreamhost had the best response of all of them (at the bottom of the article).

Anecdotally, I've used Dreamhost for years as a domain host and have had
nothing but positive experiences.

Originally I switched to them for being very vocally against SOPA, and they've
consistently been on the right side of various Internet legislative issues.

~~~
tialaramex
I've been with Dreamhost personally for almost two decades, and as a group my
friends have a shared account with them that's far older. Like, old enough
that work was done on porting code to _the brand new PHP3_.

They do seem like good people, I have no plan to move my own stuff from
Dreamhost and I can't fault their customer service, but I also cannot
recommend for stuff beyond vanity domains, fun side projects and so on because
they've had so many issues that suggest a lot of stuff is kind of half-arsed.
My home Internet service provider is also good hearted, but they've also been
very _competent_ which is important, and I just can't honestly say that about
Dreamhost.

Three (of many) Examples:

I own a .co.uk domain, and the people who run .co.uk have different
requirements for WHOIS and for how domain transfers work. So Dreamhost would
present me a generic "Here's how to change WHOIS" page and then it'd
mysteriously fail, but actually their backend just didn't work with that
entire 2LD, and domain transfer stuff would not work or it'd seem to work but
then payment was rejected and the transfer doesn't go through...

I made a DNS change through Dreamhost's control panel, and after a reasonable
period of time (maybe an hour?) of Dreamhost's three authoritative DNS servers
only one had updated. So I talk to their support. They say I need to wait for
it to "propagate" which is bullshit, these are authoritative servers,
"propagating" data to the authoritative servers is Dreamhost's problem and if
they can't do it in an hour what are they using, carrier pigeons? Then the
support person shows me dig results they see locally for those DNS servers
which don't match results I see, showing that actually these servers are
either split brain or anycast groups, I ask about that, and the tech assures
me that no, the answers they see are correct and that answers I see, by
literally querying the same IP addresses, must need to "propagate" for a few
hours more. After enough prompting they relent and say they'll "check" with
someone about the DNS servers. Literally under 60 seconds after going to
"check" the results are fixed. Huh, what a "coincidence".

Most hilariously one time they charged me for a year in advance entirely by
accident, someone fat fingered a script that takes money from customer
accounts. Now, like I said their customer service is good, I got the money
refunded together with my costs for the currency difference between when they
took the bogus transaction and when it was refunded rounded up. But if I had a
$5000 contract that'd have hurt a lot more than it did for a few vanity sites.

~~~
wwweston
> I also cannot recommend for stuff beyond vanity domains, fun side projects
> and so on

Seconded.

Dreamhost is fantastic at tone in their communications, especially broad
public communications; they sound accessible, human, and open rather than
corporate... and maybe they are, or maybe that's just part of their brand.

They are not, however, super reliable when it comes to availability,
especially if your resource usage starts to approach something on the order of
magnitude stated capacity, and in that case you will find out that there are
the system rules they sold you on, and there's the unwritten rules which may
or may not even be legible to you by the time you're done.

This is not unheard of when it comes to discount hosting, of course, and I
don't expect them to be different. Just sayin' that neither should anyone
else.

------
omarhaneef
I wish they had kept going till they found a web hosting firm that didn't have
these issues. Can anyone -- not affiliated with such a firm -- recommend one?

If you are affiliated with such a firm, and you respond anyway, please explain
what you do differently.

~~~
erulabs
I'm the founder of [https://KubeSail.com](https://KubeSail.com) (YC S19) -
we're building a Cloud Hosting platform for human beings built on the back of
Kubernetes. We want to make Kube accessible to ordinary people trying to get
work done - but at the same time offer the "right path" for developers who
know they want real tools, not black-boxes. We're a deployment platform you'll
never outgrow! The idea is to allow even junior developers to build powerful
cloud-native apps with zero lock-in from day 1. We're also building a template
system to help people share server apps with each other (ie: you can launch a
dokuwiki
[https://kubesail.com/template/erulabs/dokuwiki/](https://kubesail.com/template/erulabs/dokuwiki/)
with one click). We have a ton to build and big plans, and have not publicly
launched, but please let me know what you think! The site is live and free for
GitHub users! We consider ourselves the non-ops Kubernetes tool - or to put it
another way, GitHub is to Git as KubeSail is to Kubernetes

We're working really hard on securing multi-tenant Kubernetes clusters and
have some tricks up our sleeves from years in the cloud industry, but we have
not yet completed any external audits - that said, as the CTO, I take security
_extremely seriously_ and consider it my number 1 priority, if that helps! We
use tech like containerd, gvisor, eBPF and lots more to secure users
containers on our multi-tenant hosting tier.

------
Abishek_Muthian
Factor in that all of these hosts are used primarily for Wordpress
hosting(Bluehost is the recommended partner). So, the plausible attack vectors
for exploiting these vulnerabilities are plenty via thousands of plugins.

------
ghostbrainalpha
3 of the 5 companies they tested are really the same company.

"Endurance, who runs Bluehost, iPage, and HostGator:"

~~~
gremlinsinc
Can attest, having worked at the Bluehost brand as a tier 2 chat support
(before they shut down everything and offshored all support to the Indian
CEO's family's Indian call center).

The company is a fucking nightmare. ALL EIG brands should be avoided like the
plague including Constant Contact, site5, bluehost, hostgator, fastdomains,
justhost, hostmonster, ipage, NetFirms, UnifiedLayer, IpowerWeb, PowWeb,
ResellerClub, HostNine, HostCentric, Domain.com, Dotster, Verio, AppMachine,
Arvixe...etc...

They have horrible security. Hacked sites were the norm not the exception. The
techs we had were decent, but when things started off-shoring the off-shore
tech's were complete idiots who couldn't figure out how to add space to a
VPS...That was in 2015, I'm sure now it's way worse. I left in 2014/2015 to do
development full-time, my wife worked there till they shut down their Orem, UT
operations.

We had friends who they actually got to move to AZ to work w/ hostgator during
the transition, and then fired 3 months later after they didn't need them
anymore and AFTER they'd already bought a house in AZ... real pieces of shit
there...

The CEO even said 3 weeks before everyone got the notification they were being
canned "Don't worry your jobs are all safe, nobody's getting laid off" ...lmao

~~~
_bxg1
Luckily most of those domain names already scream "do not trust this hosting
service"

~~~
reaperducer
Unluckily, in the majority of small and mid-sized businesses, non-technical
people like sales and middle managers are responsible for making technical
decisions, like picking a hosting provider.

Witness all of the otherwise upright companies that have domains through
GoDaddy.

------
judge2020
Would setting samesite cookie values have mitigated Bluehost's problems 1 and
2 in part? Or do CORS requests include cookies for compatibility purposes?

~~~
kilburn
SameSite cookies are never sent on CORS requests (not even when the server
explicitly allows CORS requests with credentials [1]).

In other words: yes, it would have mitigated Bluehost's problems. It would
also have broken their sites (or otherwise they would _not_ be needing to use
CORS requests at all).

[1] [https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Ac...](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials)

------
durbatuluk
I think everyone need to remember CORS is a browser-only protection and
anything you expose via CORS protected endpoint in reallity has no protection
at all. Try cURL reaching any endpoint protected by CORS and you'll see what I
mean.

Also browsers automatic sending cookie enable many of these CSRF, consider
JWT.

Amazing how PHP is still bitting developers.

~~~
osrec
If you've taken the time to understand things well, you'll do just fine, even
with PHP. Otherwise, the quirks of any language/library/tool may catch you out
(it's not just a PHP thing).

------
jessaustin
Lots of people seem to have anticipated these results! So, is it OK now that
for low-volume static sites I've just thrown everything on S3? How about
adding in lambda and SQS for low-volume almost-static sites? Is it still
terrible that I've wasted cents per month on these services?

------
joshdance
Has anyone asked for a comment from any of these companies? Seems like a big
security problem.

~~~
joshdance
I emailed Bluehost, this is the response I got.

Hello Joshua,

Thank you for reaching out to Bluehost via our press@ email address; as a
brief introduction, I am writing you from Endurance International Group,
parent company to Bluehost and several other web hosting services. In regards
to your questions for how to best protect your website, one of the best things
you can do to invest in your business is to acquire web security, something
like Sitelock, to protect you from malware. Below you will find the following:
i.) article from Sucuri.net explaining more about website security, and ii.)
information to speak to Bluehost representatives more in depth about our
partnership with Sitelock and help you set up that addon service, if this is
what you wish.

i.) [https://sucuri.net/guides/website-
security/](https://sucuri.net/guides/website-security/) ii.) 888-401-4678 |
[https://helpchat.bluehost.com/](https://helpchat.bluehost.com/)

Kind regards,

Jacob Endurance International Group

~~~
jszymborski
"You got hacked because you didn't give us enough money"... these guys should
get into the Ransomware business.

~~~
gremlinsinc
As I mentioned in another thread, I used to work for EIG... and 'one does not
simply reply to a CSR request without first offering an upsell...' was a meme
that was posted quite often.

------
x__x
I stay away from Endurance International, which own a ton of hosting
companies:

[https://en.wikipedia.org/wiki/Endurance_International_Group](https://en.wikipedia.org/wiki/Endurance_International_Group)

------
poxrud
The good news is that these require a successful phishing attack, which is the
number one way of getting hacked. Best to never click on any links in email.

------
marmot777
Were there web hosting services known for being more secure? For example, is
AWS (particularly EC2 and LightSail) considered inherently more secure

------
EricE
I always assumed cheap hosts were terrible, but this is mind boggling
incompetence beyond what I would have imagined.

~~~
perlgeek
> but this is mind boggling incompetence

I disagree. It's very easy to make such mistakes, often even to miss them in
code review. You also cannot simply cover all potential errors in integration
tests, because there are infinitely many potential errors you can make.

You need continuous or regular red-teaming or comparable security controls to
reliably avoid such things, and you typically only have those at the _really_
big and high-tech companies, or in highly attacked or regulated environments.

~~~
smacktoward
The other thing to keep in mind is that these companies are all in the lowest-
cost tier of web hosting, which means the customers they're all fighting over
by definition don't care about much other than getting the absolute cheapest
possible solution. If they have a choice between a $9/month host with abysmal
security and a $10/month host with robust security, I guarantee you 99% will
go with the $9/month one. So anyone in these companies arguing for greater
investment in things like security is going to have a hard time convincing
management that it's worth the additional expense.

This tier of the market is also where the less-technical customers tend to
congregate, so even if you _have_ great security, most of your customers
aren't going to be in a position to be able to appreciate that. You could
argue that security is a potential marketing plus, but then you could get the
same "pop" by just _claiming_ you have great security without actually
providing it. It's not like your customers are going to be able to tell the
difference.

------
js4ever
Just don't use cookies and all those attacks are irrelevants

------
_bxg1
In fairness these are decidedly not top-tier hosting services

