A security researcher has discovered multiple one-click client-side vulnerabilities in the some of the world’s most popular and widely-used web hosting companies that could have put millions of their customers as well as billions of their sites’ visitors at risk of hacking.

Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which amounts to roughly seven million domains.

Some of the vulnerabilities are so simple to execute as they require attackers to trick victims into clicking on a simple link or visiting a malicious website to easily take over the accounts of anyone using the affected web hosting providers.

Critical Flaws Reported in Popular Web Hosting Services

Yibelo tested all the below-listed vulnerabilities on all five web hosting platforms and found several account takeover, cross-scripting, and information disclosure vulnerabilities, which he documented on the Website Planet blog.

• Information leakage through cross-origin-resource-sharing (CORS) misconfigurations
• Account takeover due to improper JSON request validation CSRF
• A Man-in-the-middle attack can be performed due to improper validation of CORS scheme
• Cross-site scripting flaw on my.bluehost.com allows account takeover (demonstrated in a proof-of-concept, below)

2. Dreamhost—the hosting provider that powers one million domains was found vulnerable to:

• Account takeover using cross-site scripting (XSS) flaw

3. HostGator

• Site-wide CSRF protection bypass allows complete control
• Multiple CORS misconfigurations leading to information leak and CRLF

4. OVH Hosting—the company that alone powers four million domains around the world was found vulnerable to:

• CSRF protection bypass
• API misconfigurations

5. iPage Hosting

• Account takeover flaw
• Multiple Content Security Policy (CSP) bypasses

images from Hacker News

A California-based Voice-Over-IP (VoIP) services provider VOIPO has accidentally left tens of gigabytes of its customer data, containing millions of call logs, SMS/MMS messages, and plaintext internal system credentials, publicly accessible to anyone without authentication.

VOIPo is one of a leading providers of Voice-Over-IP (VoIP) services in the United States offering reseller VoIP, Cloud VoIP, and VoIP services to residentials and small businesses.

Justin Paine, the head of Trust & Safety at CloudFlare, discovered an open ElasticSearch database last week using the Shodan search engine and notified the VOIPO’s CTO, who then promptly secured the database that contains at least 4 years of data on its customers.

According to Paine, the database contained 6.7 million call logs dating back to July 2017, 6 million SMS/MMS logs dating back to December 2015, and 1 million logs containing API key for internal systems.

While the call logs included timestamp and duration of VOIPO customers’ VOIP calls and partial originating and destination phone numbers of those calls, the SMS and MMS logs even included the full content of messages.

images from Hacker News

In-short conclusion—Whatsapp service or its 45-days deletion policy doesn’t seem to have a bug. For detailed logical explanation, please read below.

An Amazon employee earlier today tweeted details about an incident that many suggest could be a sign of a huge privacy bug in the most popular end-to-end encrypted Whatsapp messaging app that could expose some of your secret messages under certain circumstances.

According to Abby Fuller, she found some mysterious messages on WhatsApp, notably not associated with her contacts, immediately after she created a new account with the messaging app on her brand new phone using a new number for the very first time.

Fuller believes that the mysteriously appeared content on her new account was the message history associated with the WhatsApp account of the previous owner of the same SIM/mobile number, which WhatsApp pushed to her phone.

Since for WhatsApp, your phone number is your username and password is the OTP it sends to that number, it’s not a vulnerability. This is how the service works.

In a blog post, WhatsApp has explicitly mentioned that it’s a “common practice for mobile providers to recycle numbers, you should expect that your former number will be reassigned.”

In her tweets, Fuller said that the appeared chat history was “not FULL, but definitely actual threads/DM conversations,” she has yet to confirm if those messages also included any message sent by the previous SIM owner.

However, to my knowledge, setting up WhatsApp on a new device using a new phone number could not restore full message archive of the previous owner because the company never backs up your encrypted conversations on its server.

Instead, WhatsApp gives users option to upload a backup of their chats to online cloud services, and just keeps pending messages on its own server until delivered to the recipients when they come back online.

This suggests that the messages Fuller found on her newly created Whatsapp account were probably only the undelivered messages sent by the contacts of the previous owner after he/she stopped using that SIM number.

Moreover, to prevent your previous messages from landing onto others device, WhatsApp recommends users to either delete their account before stop using a SIM or mitigate the WhatsApp account with “Change number” feature available in the app settings.

images from Hacker News

Can feds force you to unlock your iPhone or Android phone?

…”NO”

A Northern California judge has ruled that federal authorities can’t force you to unlock your smartphone using your fingerprints or other biometric features such as facial recognition—even with a warrant.

The ruling came in the case of two unspecified suspects allegedly using Facebook Messenger to threaten a man with the release of an “embarrassing video” to the public if he did not hand over money.

The federal authorities requested a search warrant for an Oakland residence, seeking to seize multiple devices connected to the suspects and then compel anybody on the premises at the time of their visit to unlock the devices using fingerprint, facial or iris recognition.

However, Magistrate Judge Kandis Westmore of the U.S. District Court for the Northern District of California turned down the request, ruling the request was “overbroad and neither limited to a particular person nor device.”

images from Hacker News

A zero-day vulnerability has been discovered and reported in the Microsoft’s Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine.

Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro’s Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now.

The vulnerability, which has not been assigned any CVE number, actually resides within the processing of a vCard file—a standard file format for storing contact information for a person or business, which is also supported by Microsoft Outlook.

According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact’s website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-by-download techniques.

images from Hacker News