SoShabby GoDaddy flings patch at domain hijack hole

No fix -chipped security bod drops blog

Domain goliaths GoDaddy has rushed to plug a vulnerability that allowed attackers to hijack registered sites.

Pen tester Dylan Saccomanni dropped the Cross-Site Request Forgery (CSRF) bug on his blog after the company said there was no timeline for a fix.

GoDaddy applied a fix less than 24 hours after the blog was published.

"An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy," Saccomanni said.

"They don't need sensitive information about the victim's account, either – for auto-renew and nameservers, you don't need to know anything.

"For DNS record management, all you need to know is the domain name of the DNS records."

The hacker posted code required to edit nameservers and DNS records, and turn off auto-renew features.

He found the flaw while tinkering with an old account, discovering a lack of CSRF protection on GoDaddy's DNS management actions.

"In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers," he said.

The vulnerability type was exploited by attackers through social engineering, often phishing, to force authenticated admins to alter conditions or requests

GoDaddy was not immediately able to say if accounts had been compromised.

Saccomanni said he attempted to call GoDaddy and emailed three addresses before striking lucky on Twitter. ®




Biting the hand that feeds IT © 1998–2019