Patch/Configuration Management, Vulnerability Management

GoDaddy patches CSRF bug discovered by security researcher

A cross-site request forgery (CSRF) vulnerability that could have allowed an attacker to manipulate domain settings on any sites registered with the domain registrar has been patched by GoDaddy.

Security researcher Dylan Saccomanni, who reported the flaw, stumbled across the bug while managing an old domain on GoDaddy on Saturday, according to a recent blog post.

Saccomanni discovered that there was no cross-site request forgery security in place on “many GoDaddy DNS management actions,” which could allow attackers to edit nameservers, change auto-renew settings and edit the zone file.

In order to exploit the vulnerability, attackers would have to leverage some sort of social engineering tactic, according to Saccomanni.

Following his discovery, Saccomanni made attempts to contact GoDaddy and received a word that there would be “no timeline” for a patch, however, CSRF protection was implemented on Monday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.