Your Website Should Reflect Your Brand – Not an Attacker’s

When IT professionals and business owners think about their security strategies, they often forget about one of the easiest assets for cyber criminals to attack: their websites. From consumer brands to small businesses to large enterprise companies, a website is the front-facing identity of any organization, and needs to be given the same security.

iPage is a web hosting provider that offers web site solutions for owners and businesses, such as domain purchasing, hosting planes, and private email accounts – all consolidated under a proprietary control panel. Owned by the Endurance International Group, the iPage platform serves over 1,000,000 customers and more than 2,000,000 web sites worldwide.

Researcher Liad Mizrachi, a member of the Check Point Security Research Group, recently discovered a critical vulnerability in iPage, which would have enabled attackers to take full control over any web site hosted on the platform.

Where was iPage’s Vulnerability?

Check Point researchers discovered a Cross Site Request Forgery (CSRF) vulnerability in the iPage control panel. CSRF is an attack which forces a trusted end user to execute unwanted actions on a web application in which he is currently authenticated. In this situation, researchers found that by sending a crafted link to the website owner, the attacker could have added a new file transfer protocol (FTP) account to the website or change the administrator’s password.

The consequences? By taking control of the site’s administrator account, an attacker could have stolen personal and financial data, deployed exploit kits to infect the website’s users and/or visitors, planted a phishing attack on the compromised hosting account or even deface the site and cause downtime.

Check Point reported this issue to iPage, who both confirmed the vulnerability and fixed it.

Check Point security researchers have often taken the lead in identifying and ‘cracking the code’ on emerging security threats, including a recent discovery in in the WordPress plug-in LiveSupporti.