GoDaddy fixed a CSRF flaw that allows Domain takeover

A security expert discovered a cross-site request forgery (CSRF) flaw to take over domains registered with GoDaddy, the company has already fixed it.

The security engineer Dylan Saccomanni discovered a critical cross-site request forgery (CSRF) vulnerability in GoDaddy domain management console that could be exploited by attackers to take over domains.

The vulnerability was discovered on January 17 by Saccomanni while he was managing a domain, the expert noticed that GoDaddy had not implemented any countermeasure against CSRF attacks for many DNS management actions.

“In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers.” the researcher wrote in a blog post.

Practically exploiting the vulnerability it is possible to operate DNS changes, like editing of the nameservers or the zone file, the expert also noticed that was possible to modify automatic renewal settings. Saccomanni has also published a proof-of-concept code for demonstrating the above abilities.

“Cross-site request forgery, much like cross-site scripting, relies on some form deception or social engineering in order to exploit,” continues Saccomanni. “However, it’s still serious, as an attacker can use the CSRF vulnerability presented here to de facto take over a domain from a victim. They don’t need sensitive information about the victim’s account, either – for auto-renew and nameservers, you don’t need to know anything. For DNS record management, all you need to know is the domain name of the DNS records.”

Below the POST request for saving an edit to nameservers:

POST /dcc50/Modals/DomainActions/NSManageWS.asmx/ValidateNameserver HTTP/1.1
Host: dcc.godaddy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 175
Cookie: [REDACTED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{'request':'{"isall":false,"nsobjs":[{"ns":"foo.example.com","ips": [],"index":0,"add":1,"status":""}, {"ns":"bar.example.com","ips": [],"index":1,"add":1,"status":""}]}'}

Saccomanni reported the vulnerability to GoDaddy team on January 18 and the company on January 19 has fixed the security issue by deploying CSRF protections for the management console.

CSRF flaws are very common and was discovered in a wide range of websites and applications, including Samsung’s Find My Mobile service, AVIRA and PayPal.

Pierluigi Paganini

(Security Affairs –  CSRF, GoDaddy)