Categories: Hacking

GoDaddy fixed a CSRF flaw that allows Domain takeover

A security expert discovered a cross-site request forgery (CSRF) flaw to take over domains registered with GoDaddy, the company has already fixed it.

The security engineer Dylan Saccomanni discovered a critical cross-site request forgery (CSRF) vulnerability in GoDaddy domain management console that could be exploited by attackers to take over domains.

The vulnerability was discovered on January 17 by Saccomanni while he was managing a domain, the expert noticed that GoDaddy had not implemented any countermeasure against CSRF attacks for many DNS management actions.

“In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers.” the researcher wrote in a blog post.

Practically exploiting the vulnerability it is possible to operate DNS changes, like editing of the nameservers or the zone file, the expert also noticed that was possible to modify automatic renewal settings. Saccomanni has also published a proof-of-concept code for demonstrating the above abilities.

“Cross-site request forgery, much like cross-site scripting, relies on some form deception or social engineering in order to exploit,” continues Saccomanni. “However, it’s still serious, as an attacker can use the CSRF vulnerability presented here to de facto take over a domain from a victim. They don’t need sensitive information about the victim’s account, either – for auto-renew and nameservers, you don’t need to know anything. For DNS record management, all you need to know is the domain name of the DNS records.”

Below the POST request for saving an edit to nameservers:

POST /dcc50/Modals/DomainActions/NSManageWS.asmx/ValidateNameserver HTTP/1.1
Host: dcc.godaddy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 175
Cookie: [REDACTED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{'request':'{"isall":false,"nsobjs":[{"ns":"foo.example.com","ips": [],"index":0,"add":1,"status":""}, {"ns":"bar.example.com","ips": [],"index":1,"add":1,"status":""}]}'}

Saccomanni reported the vulnerability to GoDaddy team on January 18 and the company on January 19 has fixed the security issue by deploying CSRF protections for the management console.

CSRF flaws are very common and was discovered in a wide range of websites and applications, including Samsung’s Find My Mobile service, AVIRA and PayPal.

Pierluigi Paganini

(Security Affairs – CSRF, GoDaddy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.