Domain registrar GoDaddy yesterday patched a cross-site request forgery vulnerability that could have allowed an attacker to change domain settings on a site registered with GoDaddy.
The flaw was reported on Saturday and patched within 48 hours, according to Dylan Saccomanni, a web application security researcher and penetration testing consultant in New York.
“This vulnerability lies in GoDaddy domain settings (not account settings). If you go to ‘Domains’ when you log into GoDaddy, you’ll be presented with various options and settings you can edit for the specific domain you chose,” Saccomanni said. “That is where this issue is.”
Cross-site request forgery is a chronic web application vulnerability, right up there with cross-site scripting and others that continue to stand in the way of secure development. CSRF works when a user authenticated to a web application or domain is forced by a hacker to make state-changing requests, including administrative requests in this case. The attacker, however, would have to combine this with some form of social engineering scam in order to lure the victim to their site hosting the attack.
“It wouldn’t be difficult to exploit at all,” Saccomanni said. “The attacker would have a victim fill out a very professional looking form (maybe not even relating it to GoDaddy at all), and have the form perform a GoDaddy domain settings change request while they’re logged in. He could do this at scale, attracting GoDaddy users to his site, betting they’ll be logged in.”
Saccomanni said he discovered the vulnerability Saturday when looking at an old domain in GoDaddy, noticing a lack of cross-site request forgery protection on GoDaddy DNS management actions. Saccomanni said there was no CSRF token present in request body or headers, and no enforcement of Referrer. This lack of protection would give an attacker the ability to edit nameservers, change auto-renew settings and edit the zone file.
“A user could have a domain de facto taken over in several ways. If nameservers are changed, an attacker changes the domain’s nameservers (which dictates what server has control of DNS settings for that domain) over to his own nameservers, immediately having full and complete control,” Saccomanni said. “If DNS settings are changed, he simply points the victim’s domain towards an IP address under his control. If the auto-renew function is changed, the attacker will try to rely on a user forgetting to renew their domain purchase for a relatively high-profile domain, then buy it as soon as it expires.”
The #CSRF vulnerability could have allowed an attacker to change domain settings on a site registered with @GoDaddy.Tweet
Saccomanni said he tried many different email addresses associated with security and engineering, as well as customer support in order to report the bug. He said he received no confirmation from GoDaddy that the issue was patched, but yesterday did see protections put in place. A request for comment and confirmation from GoDaddy was not returned in time for publication.
“The reply that I received from customer support was that 1. the security email address isn’t being actively monitored for incoming email and 2. thanking me for the feedback, but there was no timeline for a fix,” Saccomanni said, adding that he never found an official security contact with the registrar. “I wish I could give you a security contact because I wish I got one myself, but they didn’t even allow me to try and speak with a security engineer directly, which is a vastly disappointing security posture for a large domain registrar.”