14 DAY TRIAL // By leveraging a cross-site request forgery (CSRF) vulnerability, an attacker could have taken control of a website registered with GoDaddy after making changes to the domain settings in the account.
New York-based security engineer Dylan Saccomanni discovered that DNS management actions for GoDaddy domains that were state-changing POST requests did not benefit from protection against CSRF.
In a blog post on Sunday, the engineer says that a CSRF attack presented the possibility to modify nameservers, change auto-renew settings and edit the zone file, all without a CSRF token in the request body or headers, which would protect against alterations carried out via this method.
A CSRF attack consists in executing actions on web applications the victim is currently logged into. This can be done by delivering a link containing the malicious commands to the target; if they are logged into the web application, the commands in the URL will execute, if CSRF protection is not available.
Saccomanni said that he encountered problems trying to get in touch with the security team at GoDaddy but finally received a response on Twitter from GoDaddy Help.
The security weakness was discovered by the engineer on Saturday and the next day he made a responsible disclosure. On Monday, GoDaddy implemented CSRF protection for sensitive account actions, Saccomanni says.