Dynadot

registrars GoDaddy patches domain hijack hole

Spaceship Spaceship
Watch
News

News

Hand-picked NewsTop Member
VIP
Impact
3,466
Domain goliaths GoDaddy has rushed to plug a vulnerability that allowed attackers to hijack registered sites.

Pen tester Dylan Saccomanni dropped the Cross-Site Request Forgery (CSRF) bug on his blog after the company said there was no timeline for a fix.
Click to expand...
The hacker posted code required to edit nameservers and DNS records, and turn off auto-renew features.

He found the flaw while tinkering with an old account, discovering a lack of CSRF protection on GoDaddy's DNS management actions.
Click to expand...
The vulnerability type was exploited by attackers through social engineering, often phishing, to force authenticated admins to alter conditions or requests

GoDaddy was not immediately able to say if accounts had been compromised.
Click to expand...
Full Article: http://www.theregister.co.uk/2015/01/21/godaddy_rushes_to_plug_domain_hijack_hole/
 
Click to expand...
Reply
1
1 Thanks
0 Like
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Sort by date Sort by points
The scary thing about this isn't so much that the bug existed, but the appalling lack of response on Godaddy's part until drastic measures were taken to bring it to their attention.
 
Click to expand...
Reply
0
0 Like
0 Thanks
•••
Security is not a profit center, therefore corporations are not interested in fixing things.
And major breaches will continue to occur as a result.
 
Click to expand...
Reply
4
4 Like
0 Thanks
•••
By the way, Nodaddy could be the next Sony if the stakes are high enough for potential hackers.

In their defense, I think security is more difficult to handle in large corporations, because they have lots of employees and every single one of them can be the weak link. For example, if you send a phishing mail to 2000 employees, there is a stronger likelihood that at least one of them will take the bait.

I am sure that there are other bugs in their systems, that are not necessarily critical. A UI that is bloated and overly complex is bound to be more buggy.

Complexity is the worst enemy of security.
 
Click to expand...
Reply
2
2 Like
0 Thanks
•••
sdsinc said:
Security is not a profit center, therefore corporations are not interested in fixing things.
And major breaches will continue to occur as a result.
Click to expand...

It is a major liability. Big corporations need to have a good security team that's on top of their game. Financial institutions have known this for a long time. I think companies are overall getting better at taking security issues seriously, apparently GD not so much. I'm still shocked that their initial response to this very serious vulnerability was to put it on the back burner.

sdsinc said:
By the way, Nodaddy could be the next Sony if the stakes are high enough for potential hackers.
Click to expand...

Strong likelihood (and buzz in the security community) that Sony's incident was initiated by a disgruntled employee. Internal threats are much bigger danger than external ones. Outsiders have to get through your perimeter (or social engineer an employee) to do anything. One pissed off insider with some knowledge and a little too much access can do a lot more damage.

In their defense, I think security is more difficult to handle in large corporations, because they have lots of employees and every single one of them can be the weak link. For example, if you send a phishing mail to 2000 employees, there is a stronger likelihood that at least one of them will take the bait.
Click to expand...

It is. Security teams need to be proactive about educating employees on security awareness. There are btw companies that specialize in measuring your employees' response to realistic phishing attacks and conducting ongoing education customized to your needs.

I am sure that there are other bugs in their systems, that are not necessarily critical. A UI that is bloated and overly complex is bound to be more buggy.
Click to expand...

Hellooooooooo Godaddy! (UI from hell.)
Complexity is the worst enemy of security.
Click to expand...

Sure is.
 
Click to expand...
Reply
0
0 Like
0 Thanks
•••
Log in or sign up to reply here.

Similar threads

Lox
domains How Xlinesoft (almost) lost domain name
3 replies
516 views
draco
draco
Future Sensors
security New ICANN Project Explores the Drivers of Malicious Domain Name Registrations
0 replies
457 views
Future Sensors
Future Sensors
kor
news GoDaddy: Hackers stole source code, installed malware in multi-year breach
8 replies
1K views
LoveCatchyDomains
LoveCatchyDomains
Lox
domains Flaws in .to Tonga’s top-level domain
0 replies
934 views
Lox
Lox
Thomas Vis
Is Your Domain Name Exposing You to Disastrous Security Risks?
2 replies
1K views
lock
lock

We're social

Latest news

Escrow.com

New posts

Auction activity

Domain Recover

What non .com extensions have you sold in 2024?

Polls of interest

Popular this week

Community favorite

Popular this month

Blog favorites

  • The sidebar remains visible by scrolling at a speed relative to the page’s height.
Back