Tuesday, January 20, 2015

After Paypal , it is GoDaddy - CSRF Vulnerability



In OWASP top 10 list - CSFT was #8

In December, a CSRF vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal was patched.  Now it is GoDaddy.

What surprises is websites belonging to companies that either rely  on eBusiness or play a crucial role seem to have these vulnerabilities


From the Article

Security researcher Dylan Saccomanni, while managing an old domain in GoDaddy, noticed that there was absolutely no CSRF protection at all on many GoDaddy DNS management actions.

While Saccomanni said that it was “somewhat difficult” to reach GoDaddy’s security, he eventually got through via Twitter from @GoDaddyHelp. Once notification was made, it only took one day for the web hosting giant to fix the flaw.

The bottom line is that an attacker could use the CSRF vulnerability to de facto take over a domain from a victim.

“They don’t need sensitive information about the victim’s account, either—for auto-renew and nameservers, you don’t need to know anything,” Saccomanni said. “For DNS record management, all you need to know is the domain name of the DNS records.”


Follow this link for additional details:


No comments:

Post a Comment