A vulnerability that could allow GoDaddy customer domains to be taken over has been patched. The vulnerability was discovered by independent security engineer Dylan Saccomanni on Saturday, and fixed within 48 hours.
Saccomanni published a post on Sunday detailing the vulnerability. This vulnerability means that if an attacker successfully lured a GoDaddy customer to a site hosting an attack, the attacker could edit nameservers or change other DNS management settings, and take over the site.
After discovering the vulnerability, Saccomanni made a series of attempts to notify GoDaddy. Finding that he could not reach GoDaddy through a couple of email addresses typically monitored within the industry, and that Google searches and phoning support did not provide the contact he was looking for, Saccomanni reached the company publicly through Twitter.
Cross-site request forgery, or CSRF, is characterized by Threatpost as “a chronic web application vulnerability,” and Saccomanni told Threatpost that it wouldn’t be difficult to exploit.
“A user could have a domain de facto taken over in several ways. If nameservers are changed, an attacker changes the domain’s nameservers (which dictates what server has control of DNS settings for that domain) over to his own nameservers, immediately having full and complete control,” Saccomanni said. “If DNS settings are changed, he simply points the victim’s domain towards an IP address under his control. If the auto-renew function is changed, the attacker will try to rely on a user forgetting to renew their domain purchase for a relatively high-profile domain, then buy it as soon as it expires.”
Saccomanni expressed frustration at the challenges he had reaching GoDaddy, and that they would not let him speak directly to a security engineer.
Microsoft and Google have accused each other of self-serving security policies following Google’s publication of a zero-day Windows vulnerability, after Microsoft requested they delay the disclosure, and before it was patched.
The WHIR contacted GoDaddy for comment but had not heard back as of publication.