The popular domain hosting website GoDaddy learned about a vulnerability in their security system this week that could allow hackers to take complete control of sites registered to the company, according to the Register. The problem was identified by blogger and security engineer Dylan Saccomanni, who wrote a post identifying the GoDaddy issue and attempted to contact the site’s support. GoDaddy patched the security gap within 24 hours after Saccomanni made the blog post.
“An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy,” Saccomanni said on his blog.
“They don’t need sensitive information about the victim’s account, either – for auto-renew and nameservers, you don’t need to know anything. For DNS record management, all you need to know is the domain name of the DNS records.”
The vulnerability could have been a major security and privacy issue, considering the fact that GoDaddy is one of the most-used hosting sites on the web, with over 12 million users, according to the official GoDaddy site. Thousands of users were exposed to hacking attacks, which could have resulted in personal and business websites getting hijacked and personal information compromised.
The Good Samaritan hacker, Saccomanni, discovered the weakness in GoDaddy’s security while messing around with an old account on the site. He noticed a lack of CSRF protection within GoDaddy’s DNA management actions. Saccomanni posted more information on his blog, including the chunks of code that could have been used to edit nameservers and edit GoDaddy DNS records.
He found the flaw while tinkering with an old account, discovering a lack of CSRF protection on GoDaddy’s DNS management actions.
“While I was managing an old domain in GoDaddy, I noticed that there was absolutely no cross-site request forgery protection at all on many GoDaddy DNS management actions, which are state-changing POST requests (no CSRF token in request body or headers, and no enforcement of Referer or Content-Type). In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers.”
He made GoDaddy aware of the flaw and received confirmation from the company that they were unsure when the problem would be fixed, according to Net-Security. However, GoDaddy had found a solution to the problem by Monday and sealed up the security hole. They did so by implementing CSRF protection for sensitive accounts.
GoDaddy did not reveal if any accounts were compromised during the vulnerability.
GoDaddy is most famous for their risqué commercials and, while they might have abandoned the gimmick of getting people to log onto the website by implying you’d get to see sexually-explicit material, their commercials are still pretty edgy.