I'm less interested in how vulnerable Bluehost and Dreamhost are (of course they are), and more interested in how good a writeup this is about finding variants of and then weaponizing a handful of vulnerabilities most pros would write off as sev:lo hygiene bugs. The form POST as JSON is particularly cute. This is pretty great.
Here's a quick breakdown:
1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org.
2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check.
3. Using CORS origin check gaps to do an HTTP downgrade.
4. XSS-ATO by email address changes (this is pretty vanilla).
5. Sending “token[]=” to break PHP CSRF token check through type confusion.
6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.
7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH.
8. Some fiddly and not super interesting CSP bypasses.
These seem to have been "technical" bugs, mostly in the client-server communication of the self-service websites.
But hosting management also has a whole lot of potential for logical errors. I work at a B2B ISP that is also a managed service provider, and every now and then somebody calls for more self-service. I'm not against it, but it's full of landmines.
It starts with such simple things as account creation. We allow accounts with the appropriate roles to be used for several different customers, which means we cannot namespace them by tenant.
We used to give accounts usernames based on the first and last name, but that makes it very easy to leak which other accounts exists (when "John Doe" becomes "johndoe4" instead of just "johndoe", you can infer the existence of other accounts, and thus that other "John Doe"s are among our customer base). We had to change that, which isn't as easy as it sounds for a company that has been doing things a certain way for 25 years.
Potential logic errors and information leaks lurk in all places where you cannot namespace things because they are not fully under your control, which can be IP addresses (big customers bring their own address spaces, and IPv4 address space is too small for generous segmentation), Domains, email addresses, phone numbers and so on.
This a very heterogeneous business, aka "we do whatever the customer pays for".
One customer has one or two whole /8 blocks of public IPs that they use even for internal systems in our data centers. Others are IPv6 on the inside and IPv4 public facing. Some are big layer 2 setups (which we internally route through IPv6).
Are the old hosting companies of the past still sharing the same disk with other users? I remember going cd .. and seeing a bunch of folders in /home from other users. If any one of those users used a chmod incorrectly I would be able to access their shit. It is not super likely for most files but well known files can be a problem. Beyond that, trusted CGI-BIN processes could probably be used to get around security concerns (takes some work). I've been wondering if many of these FTP/SSH/Hosting sites have since moved to docker or some containerization tech.
All this assuming the hacker would use a gift card to get a paid account to start.
I have a shared hosting account with Dreamhost. A while back I went looking for accessible stuff under other user's accounts. It was fairly easy to find both readable and writable directories.
This was a while ago so I don't know if they found a solution. User home directories are private but you can easily guess common paths under them (eg wordpress).
`wp-content/uploads` that everyone set to 777 because Wordpress used to (maybe still does?) have obtuse documentation on how to make this writeable in a safe way.
I know of a legacy hosting solution that uses shared disks, but they also use a chroot wrapper for the sftp access to make sure a misuse of chmod doesn't leak data to other customers.
Allowing executable code (CGI, PHP) in such an environment is just a recipe for trouble.
Dreamhost had the best response of all of them (at the bottom of the article).
Anecdotally, I've used Dreamhost for years as a domain host and have had nothing but positive experiences.
Originally I switched to them for being very vocally against SOPA, and they've consistently been on the right side of various Internet legislative issues.
I've been with Dreamhost personally for almost two decades, and as a group my friends have a shared account with them that's far older. Like, old enough that work was done on porting code to _the brand new PHP3_.
They do seem like good people, I have no plan to move my own stuff from Dreamhost and I can't fault their customer service, but I also cannot recommend for stuff beyond vanity domains, fun side projects and so on because they've had so many issues that suggest a lot of stuff is kind of half-arsed. My home Internet service provider is also good hearted, but they've also been very _competent_ which is important, and I just can't honestly say that about Dreamhost.
Three (of many) Examples:
I own a .co.uk domain, and the people who run .co.uk have different requirements for WHOIS and for how domain transfers work. So Dreamhost would present me a generic "Here's how to change WHOIS" page and then it'd mysteriously fail, but actually their backend just didn't work with that entire 2LD, and domain transfer stuff would not work or it'd seem to work but then payment was rejected and the transfer doesn't go through...
I made a DNS change through Dreamhost's control panel, and after a reasonable period of time (maybe an hour?) of Dreamhost's three authoritative DNS servers only one had updated. So I talk to their support. They say I need to wait for it to "propagate" which is bullshit, these are authoritative servers, "propagating" data to the authoritative servers is Dreamhost's problem and if they can't do it in an hour what are they using, carrier pigeons? Then the support person shows me dig results they see locally for those DNS servers which don't match results I see, showing that actually these servers are either split brain or anycast groups, I ask about that, and the tech assures me that no, the answers they see are correct and that answers I see, by literally querying the same IP addresses, must need to "propagate" for a few hours more. After enough prompting they relent and say they'll "check" with someone about the DNS servers. Literally under 60 seconds after going to "check" the results are fixed. Huh, what a "coincidence".
Most hilariously one time they charged me for a year in advance entirely by accident, someone fat fingered a script that takes money from customer accounts. Now, like I said their customer service is good, I got the money refunded together with my costs for the currency difference between when they took the bogus transaction and when it was refunded rounded up. But if I had a $5000 contract that'd have hurt a lot more than it did for a few vanity sites.
> I also cannot recommend for stuff beyond vanity domains, fun side projects and so on
Seconded.
Dreamhost is fantastic at tone in their communications, especially broad public communications; they sound accessible, human, and open rather than corporate... and maybe they are, or maybe that's just part of their brand.
They are not, however, super reliable when it comes to availability, especially if your resource usage starts to approach something on the order of magnitude stated capacity, and in that case you will find out that there are the system rules they sold you on, and there's the unwritten rules which may or may not even be legible to you by the time you're done.
This is not unheard of when it comes to discount hosting, of course, and I don't expect them to be different. Just sayin' that neither should anyone else.
I wish they had kept going till they found a web hosting firm that didn't have these issues. Can anyone -- not affiliated with such a firm -- recommend one?
If you are affiliated with such a firm, and you respond anyway, please explain what you do differently.
I'm the founder of https://KubeSail.com (YC S19) - we're building a Cloud Hosting platform for human beings built on the back of Kubernetes. We want to make Kube accessible to ordinary people trying to get work done - but at the same time offer the "right path" for developers who know they want real tools, not black-boxes. We're a deployment platform you'll never outgrow! The idea is to allow even junior developers to build powerful cloud-native apps with zero lock-in from day 1. We're also building a template system to help people share server apps with each other (ie: you can launch a dokuwiki https://kubesail.com/template/erulabs/dokuwiki/ with one click). We have a ton to build and big plans, and have not publicly launched, but please let me know what you think! The site is live and free for GitHub users! We consider ourselves the non-ops Kubernetes tool - or to put it another way, GitHub is to Git as KubeSail is to Kubernetes
We're working really hard on securing multi-tenant Kubernetes clusters and have some tricks up our sleeves from years in the cloud industry, but we have not yet completed any external audits - that said, as the CTO, I take security _extremely seriously_ and consider it my number 1 priority, if that helps! We use tech like containerd, gvisor, eBPF and lots more to secure users containers on our multi-tenant hosting tier.
Factor in that all of these hosts are used primarily for Wordpress hosting(Bluehost is the recommended partner). So, the plausible attack vectors for exploiting these vulnerabilities are plenty via thousands of plugins.
Can attest, having worked at the Bluehost brand as a tier 2 chat support (before they shut down everything and offshored all support to the Indian CEO's family's Indian call center).
The company is a fucking nightmare. ALL EIG brands should be avoided like the plague including Constant Contact, site5, bluehost, hostgator, fastdomains, justhost, hostmonster, ipage, NetFirms, UnifiedLayer, IpowerWeb, PowWeb, ResellerClub, HostNine, HostCentric, Domain.com, Dotster, Verio, AppMachine, Arvixe...etc...
They have horrible security. Hacked sites were the norm not the exception. The techs we had were decent, but when things started off-shoring the off-shore tech's were complete idiots who couldn't figure out how to add space to a VPS...That was in 2015, I'm sure now it's way worse. I left in 2014/2015 to do development full-time, my wife worked there till they shut down their Orem, UT operations.
We had friends who they actually got to move to AZ to work w/ hostgator during the transition, and then fired 3 months later after they didn't need them anymore and AFTER they'd already bought a house in AZ... real pieces of shit there...
The CEO even said 3 weeks before everyone got the notification they were being canned "Don't worry your jobs are all safe, nobody's getting laid off" ...lmao
Unluckily, in the majority of small and mid-sized businesses, non-technical people like sales and middle managers are responsible for making technical decisions, like picking a hosting provider.
Witness all of the otherwise upright companies that have domains through GoDaddy.
Would setting samesite cookie values have mitigated Bluehost's problems 1 and 2 in part? Or do CORS requests include cookies for compatibility purposes?
SameSite cookies are never sent on CORS requests (not even when the server explicitly allows CORS requests with credentials [1]).
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
I think everyone need to remember CORS is a browser-only protection and anything you expose via CORS protected endpoint in reallity has no protection at all. Try cURL reaching any endpoint protected by CORS and you'll see what I mean.
Also browsers automatic sending cookie enable many of these CSRF, consider JWT.
If you've taken the time to understand things well, you'll do just fine, even with PHP. Otherwise, the quirks of any language/library/tool may catch you out (it's not just a PHP thing).
Lots of people seem to have anticipated these results! So, is it OK now that for low-volume static sites I've just thrown everything on S3? How about adding in lambda and SQS for low-volume almost-static sites? Is it still terrible that I've wasted cents per month on these services?
Thank you for reaching out to Bluehost via our press@ email address; as a brief introduction, I am writing you from Endurance International Group, parent company to Bluehost and several other web hosting services. In regards to your questions for how to best protect your website, one of the best things you can do to invest in your business is to acquire web security, something like Sitelock, to protect you from malware. Below you will find the following: i.) article from Sucuri.net explaining more about website security, and ii.) information to speak to Bluehost representatives more in depth about our partnership with Sitelock and help you set up that addon service, if this is what you wish.
As I mentioned in another thread, I used to work for EIG... and 'one does not simply reply to a CSR request without first offering an upsell...' was a meme that was posted quite often.
The good news is that these require a successful phishing attack, which is the number one way of getting hacked. Best to never click on any links in email.
I disagree. It's very easy to make such mistakes, often even to miss them in code review. You also cannot simply cover all potential errors in integration tests, because there are infinitely many potential errors you can make.
You need continuous or regular red-teaming or comparable security controls to reliably avoid such things, and you typically only have those at the really big and high-tech companies, or in highly attacked or regulated environments.
The other thing to keep in mind is that these companies are all in the lowest-cost tier of web hosting, which means the customers they're all fighting over by definition don't care about much other than getting the absolute cheapest possible solution. If they have a choice between a $9/month host with abysmal security and a $10/month host with robust security, I guarantee you 99% will go with the $9/month one. So anyone in these companies arguing for greater investment in things like security is going to have a hard time convincing management that it's worth the additional expense.
This tier of the market is also where the less-technical customers tend to congregate, so even if you have great security, most of your customers aren't going to be in a position to be able to appreciate that. You could argue that security is a potential marketing plus, but then you could get the same "pop" by just claiming you have great security without actually providing it. It's not like your customers are going to be able to tell the difference.
The other huge point is it's easy to get some regular Red Team penetration testing, it's quite another thing to get what the Red Team found in their analysis mitigated properly in a timely fashion.
I have several friends who are on Red Teams working for pretty visible info sec companies. The one thing they always harp on is going back to test a companies network or physical infrastructure and finding most, if not all of the necessary fixes have not been corrected from their last visit.
You're right, big companies do have regular testing, but you'd be surprised how slowly those holes and issues actually get fixed.
- Not performing a task that isn't explicitly committed to in the service description or contract. If something is left unsaid, that it isn't happening.
- Not performing a task that they aren't solely accountable for. If you "share" a responsibility, it is your responsibility.
I wonder if management just can't tell what is and isn't important, so they err on spending nothing until it blows up. Then they now this is something they might need to spend money on.
Here's a quick breakdown:
1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org.
2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check.
3. Using CORS origin check gaps to do an HTTP downgrade.
4. XSS-ATO by email address changes (this is pretty vanilla).
5. Sending “token[]=” to break PHP CSRF token check through type confusion.
6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.
7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH.
8. Some fiddly and not super interesting CSP bypasses.