GoDaddy authentication vulnerability exploited for phishing campaigns

GoDaddy logo

GoDaddy.com was found to have a vulnerability in the way it handles domain name server (DNS) change requests, allowing hackers to hijack domains and a create two disruptive spam email campaigns.

Kerbs on Security said the scams, a bomb threat hoax and a sextortion email campaign from 2018, were allegedly made possible thanks to an authentication weakness in GoDaddy. The vulnerability, discovered by independent researcher Ronald Guilmette, allowed any user to add a domain to their account without any validation that they actually owned the domain.

More worryingly, Guilmette warned that this same weakness also affected other major internet service providers and is actively being used to launch phishing and malware attacks.

In December an email threating to blow up buildings and schools triggered mass evacuations, closures and lockdowns in the US and Canada. The scam demanded $20,000 in ransom and used 78 domains belonging to Expedia, Mozilla, Yelp and many other legitimate individuals and organisations.

This same method was used by scammers to hijack thousands of other domains attributed to well-known organisations in order to threaten the publication of private videos.

A thorough investigation of these scams found that virtually all of the affected domains received domain-resolution service from GoDaddy.com prior to being hijacked.

"After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process," GoDaddy confirmed to ArsTechnica. "We've identified a fix and are taking corrective action immediately. While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed."

GoDaddy didn't go into detail about the weakness, but Guilmette downloaded a complete copy of the zone file for domains ending in .com and identified 34 million that pointed to GoDaddy DNS servers. This was then checked to see how many of these weren't resolvable; the answer was almost 262,000.

When considering the 74 million domain names GoDaddy claims it manages, Guilmette estimated that GoDaddy's authentication weakness left more than 553,000 domains vulnerable to hijacking.

Another independent researcher, Matthew Bryant, reported a weakness in Google Cloud, Amazon's Route 53, Rackspace and DigitalOcean that left control of more than 120,000 domains up for grabs in 2016.

"A lot of providers say 'it's not our fault. It's a user mistake' but if the case is that the user is going to make this mistake every time, it still causes very real issues," said Bryant.

"Everyone can say 'It's the person's responsibility. It's not ours.' but at the end of the day, it's the providers who are going to have to take responsibility to get it fixed."

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.