The security engineer Dylan Saccomanni discovered a critical cross-site request forgery (CSRF) vulnerability in GoDaddy domain management console that could be exploited by attackers to take over domains.
The vulnerability was discovered on January 17 by Saccomanni while he was managing a domain, the expert noticed that GoDaddy had not implemented any countermeasure against CSRF attacks for many DNS management actions.
“In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers.” the researcher wrote in a blog post.
Practically exploiting the vulnerability it is possible to operate DNS changes, like editing of the nameservers or the zone file, the expert also noticed that was possible to modify automatic renewal settings. Saccomanni has also published a proof-of-concept code for demonstrating the above abilities.
“Cross-site request forgery, much like cross-site scripting, relies on some form deception or social engineering in order to exploit,” continues Saccomanni. “However, it’s still serious, as an attacker can use the CSRF vulnerability presented here to de facto take over a domain from a victim. They don’t need sensitive information about the victim’s account, either – for auto-renew and nameservers, you don’t need to know anything. For DNS record management, all you need to know is the domain name of the DNS records.”
Below the POST request for saving an edit to nameservers:
Saccomanni reported the vulnerability to GoDaddy team on January 18 and the company on January 19 has fixed the security issue by deploying CSRF protections for the management console.
(Security Affairs – CSRF, GoDaddy)