Two security researchers working independently on different projects have discovered multiple vulnerabilities that affect multiple web hosting platforms, including the popular Bluehost, as well as Amadeus, the online reservation system used by several different airlines.
According to independent security researcher Paulos Yibelo, Bluehost, a popular web hosting platform, was riddled with vulnerabilities, including one that would allow complete account takeover.
Rated as having a high severity, the vulnerabilities grant attackers access to personally identifiable information, partial payment information and tokens that grant access to sites like WordPress, Website Planet wrote. In addition to those bugs discovered in BlueHost, Yibelo also reported several bugs in other web hosting platforms, including Dreamhost, HostGator, OVH, and iPage.
“This should serve as a warning call for those companies authenticating customers online with legacy technology. Today, account takeover is not a hard attack to deploy, and the consequences can be devastating with bad actors stealing money and products,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
In related news, security researcher Noam Rotem, who was working with Safety Detective research lab, discovered a major vulnerability in Amadeus, an online booking system used by nearly half (44%) of all airlines worldwide, including United Airlines, Lufthansa, Air Canada, and many more, according to a January 15 blog post.
After receiving a message to check the passenger name record (PNR), the researchers were able to view any PNR and access customer data.
“With the PNR and customer name at our disposal, we were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the researchers wrote.
A malicious actor would need to have a working knowledge of the PNR code in order to exploit the vulnerability, which has since been fixed.