Security engineer Dylan Saccomanni has discovered a critical CSRF vulnerability that can be exploited to take over domains registered with Go Daddy, and has forced the popular internet domain registrar and web hosting company to issue a fix sooner rather than later.
“While I was managing an old domain in GoDaddy, I noticed that there was absolutely no cross-site request forgery protection at all on many GoDaddy DNS management actions, which are state-changing POST requests (no CSRF token in request body or headers, and no enforcement of Referer or Content-Type),” he explained on his blog.
“In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers,” he noted, and shared several proof-of-concept POST requests that can be used to make these edits and changes.
He also pointed out that would-be attackers don’t even have to be in possession of sensitive information about the victim’s account in order to do the first two changes (auto-renew and nameservers).
Saccomanni discovered the vulnerability on Saturday, and after receiving confirmation from Go Daddy that there is no timeline for a fix, he published the bug’s details on Saturday. As a result, Go Daddy has closed the hole on Monday by implementing CSRF protection for sensitive account actions.