Latest news of the domain name industry

Recent Posts

Domain hijacking bug found in Go Daddy

Kevin Murphy, January 22, 2015, 13:47:21 (UTC), Domain Registrars

Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.

Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.

He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.

A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.

Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.

In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.

Being phishing-aware would also reduce your chance of being a victim.

I’m not aware of any reports of domains being lost to this attack.

Tagged: , ,

Add Your Comment