DNS Hijacking vulnerability found in 000webhost and other free hosting sites

Last month, we learned that hackers hacked the Pakistani google and other sites by hijacking DNS records.  Hackers modified the DNS records such that it points to freehostia site where attacker host the deface page.

Now, An Indian Security researcher Aarshit Mittal come with an interesting find , he has discovered critical DNS hijacking vulnerability in popular free web-hosting providers. The vulnerability allows attackers to take control of the websites hosted.

Aarshit has demonstrate how to exploit the vulnerability in his blog.  Attacker need to create an account in the target web hosting provider. He has explained the vulnerability with 000webhost.com.

Once you created the account, you should login into the CPanel where you can see the Shared IP address. Searching for that IP address with some keywords in Bing returns the sites hosted in that specific IP. 

Interestingly, Aarshit managed to find some government sites(csirt.gov.bd) that has been hosted in the 000webhost.  

After discovering the list of sites hosted , attacker can add those domain names to 'parked domains' in the CPanel. The CPanel successfully allowed him to add the domain name.

Now hacker just need to upload defacement page to his hosting account. Boom.! Now you can see the defacement page in the victim site. Also you can create lot of sub domains in the hijacked domains.

By exploiting this security flaw, researcher successfully hijacked the following domain:

  • test.fraymamertoesquiu.gov.ar
  • test.concejodeitagui.gov.co
  • dns.hviota.gov.co
  • test.digitizeyou.in
  • men.csirt.gov.bd
  • bd.csirt.gov.bd
A malicious hacker can hijack millions of sites hosted in free webhosting sites.  Aarshit try to contact affected companies, but they failed to respond for him.

List of affected sites:

  • www.freehostia.com/
  • www.freewebhostingarea.com/
  • x10hosting.com/
  • www.110mb.com/

Not only these sites are affected, there are plenty of free hosting server affected by this vulnerability.
Category: / / /

Share this with Your friends: