How I Hacked Your Hostgator Account

Hostgator is one of the biggest hosting service provider in the world but still it had some critical issue which let us to hack into any hostgator accounts with just a click i.e, CSRF.

I found a CSRF issue on their hostgator user portal ( https://portal.hostgator.com ).

While updating our account email it send the confirmation link to the particular email inbox.
Authorization Link :

 https://portal.hostgator.com/customer/email/primary/bmFyZXNoLmxhbWdhZGVAZ21haWwuY29tQEBo
L2p1dGNOYVVWQmp6d3IwYjFpV0E1WTdyeUM4Z3FtTE85aVpDNzZXMnpR

So, if we send this authorization link to the victim and if he/she clicks on the link then his/her account will be set with the new email adress.
At first it threw some error like “email already used” but still when we refresh the page and check the setting email. It will be set there.

Here’s a video POC :

Hostgator Vulnerability : Account Take Over ( CSRF ) from Naresh LamGade on Vimeo.

This issue was reported back in early 2015 and it has been fixed now, even though they took a long time to fix this and as a reward they offered me free of cost service on one of their any product.