Patch Management

GoDaddy patches CSRF bug discovered by security researcher

January 20, 2015

A cross-site request forgery (CSRF) vulnerability that could have allowed an attacker to manipulate domain settings on any sites registered with the domain registrar has been patched by GoDaddy.

Security researcher Dylan Saccomanni, who reported the flaw, stumbled across the bug while managing an old domain on GoDaddy on Saturday, according to a recent blog post.

Saccomanni discovered that there was no cross-site request forgery security in place on “many GoDaddy DNS management actions,” which could allow attackers to edit nameservers, change auto-renew settings and edit the zone file.

In order to exploit the vulnerability, attackers would have to leverage some sort of social engineering tactic, according to Saccomanni.

Following his discovery, Saccomanni made attempts to contact GoDaddy and received a word that there would be “no timeline” for a patch, however, CSRF protection was implemented on Monday.

prestitial ad