GoDaddy has patched a cross-site request forgery (CSRF) vulnerability that would allow hackers to take over domains registered with the domain registration company.
Security researcher Dylan Saccomanni, while managing an old domain in GoDaddy, noticed that there was absolutely no CSRF protection at all on many GoDaddy DNS management actions.
While Saccomanni said that it was “somewhat difficult” to reach GoDaddy’s security, he eventually got through via Twitter from @GoDaddyHelp. Once notification was made, it only took one day for the web hosting giant to fix the flaw. And no wonder—the flaw can be very dangerous.
“These are state-changing POST requests (no CSRF token in request body or headers, and no enforcement of Referer or Content-Type),” he explained in his blog, Breaking Bits. “In fact, you could edit name servers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers.”
The bottom line is that an attacker could use the CSRF vulnerability to de facto take over a domain from a victim.
“They don’t need sensitive information about the victim’s account, either—for auto-renew and nameservers, you don’t need to know anything,” Saccomanni said. “For DNS record management, all you need to know is the domain name of the DNS records.”
CSRF relies on some form of deception or social engineering in order to exploit. But it’s not that difficult to do because it relies on the trust a user has for a certain site. In order to forge an HTTP request, an attacker can simply profile the target site first, either by reviewing the HTML source or by inspecting the HTTP traffic. Then, he can determine the format of a legitimate request and then forge a form that matches it, or one that mimics the legitimate site.
All in all, cross-site request forgery, much like cross-site scripting, is a fairly simple and common attack. In December, a CSRF vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal was patched, resulting in a $10,000 bounty for the white-hat that found it.