We tested popular web hosting companies and all were easily hacked

I&#x27;m less interested in how vulnerable Bluehost and Dreamhost are (of course they are), and more interested in how good a writeup this is about finding variants of and then weaponizing a handful of vulnerabilities most pros would write off as sev:lo hygiene bugs. The form POST as JSON is particularly cute. This is pretty great.<p>Here&#x27;s a quick breakdown:<p>1. Autogenerating CORS headers based on a regexp that can be tricked into allowing &lt;safe.org&gt;.evil.org.<p>2. A form POST encoded text&#x2F;plain that gets interpreted as JSON to bypass CSRF check.<p>3. Using CORS origin check gaps to do an HTTP downgrade.<p>4. XSS-ATO by email address changes (this is pretty vanilla).<p>5. Sending “token[]=” to break PHP CSRF token check through type confusion.<p>6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org.<p>7. Setting content-type=text&#x2F;plain; application&#x2F;json to fake out browser check for JSON and bypassing CSRF at OVH.<p>8. Some fiddly and not super interesting CSP bypasses.

These seem to have been &quot;technical&quot; bugs, mostly in the client-server communication of the self-service websites.<p>But hosting management also has a whole lot of potential for logical errors. I work at a B2B ISP that is also a managed service provider, and every now and then somebody calls for more self-service. I&#x27;m not against it, but it&#x27;s full of landmines.<p>It starts with such simple things as account creation. We allow accounts with the appropriate roles to be used for several different customers, which means we cannot namespace them by tenant.<p>We used to give accounts usernames based on the first and last name, but that makes it very easy to leak which other accounts exists (when &quot;John Doe&quot; becomes &quot;johndoe4&quot; instead of just &quot;johndoe&quot;, you can infer the existence of other accounts, and thus that other &quot;John Doe&quot;s are among our customer base). We had to change that, which isn&#x27;t as easy as it sounds for a company that has been doing things a certain way for 25 years.<p>Potential logic errors and information leaks lurk in all places where you cannot namespace things because they are not fully under your control, which can be IP addresses (big customers bring their own address spaces, and IPv4 address space is too small for generous segmentation), Domains, email addresses, phone numbers and so on.

Are the old hosting companies of the past still sharing the same disk with other users? I remember going cd .. and seeing a bunch of folders in &#x2F;home from other users. If any one of those users used a chmod incorrectly I would be able to access their shit. It is not super likely for most files but well known files can be a problem. Beyond that, trusted CGI-BIN processes could probably be used to get around security concerns (takes some work). I&#x27;ve been wondering if many of these FTP&#x2F;SSH&#x2F;Hosting sites have since moved to docker or some containerization tech.<p>All this assuming the hacker would use a gift card to get a paid account to start.

Dreamhost had the best response of all of them (at the bottom of the article).<p>Anecdotally, I&#x27;ve used Dreamhost for years as a domain host and have had nothing but positive experiences.<p>Originally I switched to them for being very vocally against SOPA, and they&#x27;ve consistently been on the right side of various Internet legislative issues.

I wish they had kept going till they found a web hosting firm that didn&#x27;t have these issues. Can anyone -- not affiliated with such a firm -- recommend one?<p>If you are affiliated with such a firm, and you respond anyway, please explain what you do differently.

Factor in that all of these hosts are used primarily for Wordpress hosting(Bluehost is the recommended partner). So, the plausible attack vectors for exploiting these vulnerabilities are plenty via thousands of plugins.

3 of the 5 companies they tested are really the same company.<p>&quot;Endurance, who runs Bluehost, iPage, and HostGator:&quot;

Would setting samesite cookie values have mitigated Bluehost&#x27;s problems 1 and 2 in part? Or do CORS requests include cookies for compatibility purposes?

I think everyone need to remember CORS is a browser-only protection and anything you expose via CORS protected endpoint in reallity has no protection at all. Try cURL reaching any endpoint protected by CORS and you&#x27;ll see what I mean.<p>Also browsers automatic sending cookie enable many of these CSRF, consider JWT.<p>Amazing how PHP is still bitting developers.

Lots of people seem to have anticipated these results! So, is it OK now that for low-volume static sites I&#x27;ve just thrown everything on S3? How about adding in lambda and SQS for low-volume almost-static sites? Is it still terrible that I&#x27;ve wasted cents per month on these services?

Has anyone asked for a comment from any of these companies? Seems like a big security problem.

I stay away from Endurance International, which own a ton of hosting companies:<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Endurance_International_Group" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Endurance_International_Group</a>

The good news is that these require a successful phishing attack, which is the number one way of getting hacked. Best to never click on any links in email.

Were there web hosting services known for being more secure? For example, is AWS (particularly EC2 and LightSail) considered inherently more secure

I always assumed cheap hosts were terrible, but this is mind boggling incompetence beyond what I would have imagined.

Just don&#x27;t use cookies and all those attacks are irrelevants

In fairness these are decidedly not top-tier hosting services