UPDATE: The domain registrar and Web-hosting company Namecheap has fixed a cross-site request forgery vulnerability in its DNS setup page. According to security researcher Henry Hoggard, the bug could have given an attacker the ability to hijack domain name system servers and redirect incoming traffic.
In an email interview, Hoggard told Threatpost he had no evidence to suggest the vulnerability had been exploited in the wild. However, if there had been an attacker with knowledge of the vulnerability, that person could have redirected incoming traffic away from its intended destination and toward a malicious site under the attacker’s control. This tactic is widely used among cybercriminals seeking to collect log-in information, install malware on victim machines, and perform other malicious acts.
Furthermore, Hoggard claimed in a blogpost announcing the vulnerability, malicious actors could have also exploited the flaw in order to intercept mail exchange records and email communications.
“This would have impacted all customers, which I’m sure is a lot of high profile websites, as Namecheap is one of the most popular domain registrars,” Hoggard said.
According to information on its website, Namecheap services more than 800,000 clients and manages more than three million domains.
Namecheap implemented the vulnerability fix on their end. No user interaction is required to apply the patch.
Hoggard reported the bug the Namecheap in June. It is not clear why the company took so much time to resolve the flaw. Hoggard suggested that the delay may have arisen from organizational problems rather than patching lethargy.
“It took Namecheap just over six months to fix it,” Hoggard said. “I do not know why it took so long, but I had to go through the general customer support ticketing system to report it as I could not find a security contact for them. So that took a lot of time just to find the right person to report it to.”
Namecheap issued a response on their website downplaying the significance of the bug, claiming that no customers had been impacted by the CSRF vulnerability. The registrar said that exploiting the vulnerability, which they monitored from the time it was reported until they fixed it, required very specific criteria.
An attacker attempting to exploit this bug would have to compel his or her victim to open a malicious attachment or follow a link to a website containing malware. The vulnerability is only exploitable if the victim opens a malicious attachment or link while logged into his or her Namecheap account in the same browser. Beyond this, the attacker would have to know the domain of his or her victim.