Domain name registry enabled domain hijacking through authentication vulnerability
GoDaddy.com was found to have a vulnerability in the way it handles domain name server (DNS) change requests, allowing hackers to hijack domains and a create two disruptive spam email campaigns.
Kerbs on Security said the scams, a bomb threat hoax and a sextortion email campaign from 2018, were allegedly made possible thanks to an authentication weakness in GoDaddy. The vulnerability, discovered by independent researcher Ronald Guilmette, allowed any user to add a domain to their account without any validation that they actually owned the domain.
More worryingly, Guilmette warned that this same weakness also affected other major internet service providers and is actively being used to launch phishing and malware attacks.
In December an email threating to blow up buildings and schools triggered mass evacuations, closures and lockdowns in the US and Canada. The scam demanded $20,000 in ransom and used 78 domains belonging to Expedia, Mozilla, Yelp and many other legitimate individuals and organisations.
This same method was used by scammers to hijack thousands of other domains attributed to well-known organisations in order to threaten the publication of private videos.
A thorough investigation of these scams found that virtually all of the affected domains received domain-resolution service from GoDaddy.com prior to being hijacked.
“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” GoDaddy confirmed to ArsTechnica. “We’ve identified a fix and are taking corrective action immediately. While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”
GoDaddy didn’t go into detail about the weakness, but Guilmette downloaded a complete copy of the zone file for domains ending in .com and identified 34 million that pointed to GoDaddy DNS servers. This was then checked to see how many of these weren’t resolvable; the answer was almost 262,000.
When considering the 74 million domain names GoDaddy claims it manages, Guilmette estimated that GoDaddy’s authentication weakness left more than 553,000 domains vulnerable to hijacking.