IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GoDaddy authentication vulnerability exploited for phishing campaigns

Domain name registry enabled domain hijacking through authentication vulnerability

GoDaddy logo

GoDaddy.com was found to have a vulnerability in the way it handles domain name server (DNS) change requests, allowing hackers to hijack domains and a create two disruptive spam email campaigns.

Kerbs on Security said the scams, a bomb threat hoax and a sextortion email campaign from 2018, were allegedly made possible thanks to an authentication weakness in GoDaddy. The vulnerability, discovered by independent researcher Ronald Guilmette, allowed any user to add a domain to their account without any validation that they actually owned the domain. 

More worryingly, Guilmette warned that this same weakness also affected other major internet service providers and is actively being used to launch phishing and malware attacks.

In December an email threating to blow up buildings and schools triggered mass evacuations, closures and lockdowns in the US and Canada. The scam demanded $20,000 in ransom and used 78 domains belonging to Expedia, Mozilla, Yelp and many other legitimate individuals and organisations.

This same method was used by scammers to hijack thousands of other domains attributed to well-known organisations in order to threaten the publication of private videos.

A thorough investigation of these scams found that virtually all of the affected domains received domain-resolution service from GoDaddy.com prior to being hijacked.

"After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process," GoDaddy confirmed to ArsTechnica. "We've identified a fix and are taking corrective action immediately. While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed."

GoDaddy didn't go into detail about the weakness, but Guilmette downloaded a complete copy of the zone file for domains ending in .com and identified 34 million that pointed to GoDaddy DNS servers. This was then checked to see how many of these weren't resolvable; the answer was almost 262,000.

When considering the 74 million domain names GoDaddy claims it manages, Guilmette estimated that GoDaddy's authentication weakness left more than 553,000 domains vulnerable to hijacking.

Another independent researcher, Matthew Bryant, reported a weakness in Google Cloud, Amazon's Route 53, Rackspace and DigitalOcean that left control of more than 120,000 domains up for grabs in 2016.

"A lot of providers say 'it's not our fault. It's a user mistake' but if the case is that the user is going to make this mistake every time, it still causes very real issues," said Bryant.

"Everyone can say 'It's the person's responsibility. It's not ours.' but at the end of the day, it's the providers who are going to have to take responsibility to get it fixed."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022