GoDaddy has finally rolled out a fix to a vulnerability involving its online support center, where just anyone could have manipulated the flaw and change a GoDaddy account. Worst of all, any abuse could have resulted in the removal of an account with the domain registrar.
According to security researcher Matthew Bryant, the vulnerability stemmed from a flaw on a cross-site scripting attack. The vulnerability is dubbed a blind XSS. The researcher himself explained that a GoDaddy page appeared to be flawed and its name fields began to accept cross-site scripting payloads. That means random attacks can be carried out against a domain to take over the account.
A penetration tester would be unable to detect this kind of threats because the attack payloads could lie dormant in a website and just wait for any user to trigger the payload. In the absence of a robust notification system to provide an alert about the attack, a penetration tester will be useless in identifying the XSS vulnerability. Even a typical dialogue box won’t be able to solve the problem.
In the event of a blind XSS flaw, a user database could be exposed to log viewing apps in addition to being readable to the main web application. The log viewing apps extract information from the same end storage as the user database.
According to the researcher, the online support application of GoDaddy accepted the payload from a common database and transmitted the payload into a web page. In the case of the GoDaddy page where Bryant left the payload, the input was encoded. However, the shared data source enabled the flaw to reach GoDaddy services.
Through this flaw, attackers can grab control of a GoDaddy support agent’s page and abuse the privilege to gain access to other accounts, modify domain names or even delete accounts. The risk is that your website, if hosted by GoDaddy, could just be wiped out of the face of the Internet. This is particularly alarming especially for big Internet firms.
GoDaddy was not quick enough to fix the problem, as it took the domain registrar months to release the patch. Bryant, who had employed a tool to detect cross-site scripting flaws, claimed that GoDaddy initially invited him to be part of the company’s private bug bounty program in December. Two months later GoDaddy told Bryant that his findings were duplicate and still months later the researcher asked permission to public disclose the flaw. GoDaddy requested otherwise due to how severe the flaw was.