An Internet domain registrar and web hosting company GoDaddy has patched a Cross-Site Request Forgery (CSRF or XSRF) vulnerability that allowed hackers and malicious actors to hijack websites registered with the domain registration company.
The vulnerability was reported to GoDaddy on Saturday by Dylan Saccomanni, a web application security researcher and penetration testing consultant in New York. Without any time delay, the company patched the bug in less than 24 hours after the blog was published.
While managing an old domain registered on GoDaddy, Saccomanni stumbled across the bug and noticed that there was absolutely no protection against CSRF vulnerability at all on many GoDaddy DNS management actions.
Cross-Site Request Forgery (CSRF) is a method of attacking a website in which an attacker need to convince the victim to click on a specially crafted HTML exploit page that will make a request to the vulnerable website on their behalf.
This common but rather chronic web application vulnerability could have been used by attackers to manipulate domain settings on any sites or even hijack the entire domain without any knowledge to the victim (domain buyer).
"An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy," Saccomanni wrote on his blog post.
According to the researcher, there was no CSRF token present in request body or headers, and no enforcement of Referrer, which leveraged hackers to post codes required to edit name-servers, turn off auto-renew features and edit the zone file.
All attackers need to do is leverage some sort of social engineering tactic in order to exploit the CSRF vulnerability.
"They don't need sensitive information about the victim's account, either – for auto-renew and nameservers, you don't need to know anything," Saccomanni said. "For DNS record management, all you need to know is the domain name of the DNS records."
GoDaddy was not immediately able to response on the issue or say if its users accounts had been compromised.
Saccomanni said he attempted to contact GoDaddy using many different email addresses associated with security and engineering, as well as customer support in order to report the flaw.
He received a word that there would be “no timeline” for a patch. However, yesterday he noticed that a CSRF protection was implemented on the place.