A security researcher has found, reported, and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies on the internet.
In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers — Bluehost, Dreamhost, Hostgator, OVH, and iPage.
“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch, which he shared his findings with before going public.