GoDaddy has patched a severe security issue which allowed cyberattackers to leverage the firm’s support systems to hijack, abuse and delete customer accounts.
Security researcher Matthew Bryant, who also happens to be a customer of the web hosting provider, revealed in a blog post that the issue was caused by a blind cross-site scripting (XSS) vulnerability.
Blind XSS flaws are often missed as they only occur when an XSS payload fires into a browser other than an attacker’s — and penetration testers may also miss this vulnerability due to there being a “limited methodology for finding these vulnerabilities,” according to Bryant.
“When your payloads are all < script >alert(1)< /script > you’re making the assumption that the XSS will fire in your browser, when it’s likely it will fire in other places and in other browsers,” Bryant says.
“Without a payload that notifies you regardless of the browser it fires in, you’re probably missing out on the biggest vulnerabilities.”
When the researcher accessed GoDaddy, he noticed that his first and last name could be set to an XSS payload. Bryant then planted an XSS payload, and happened to forget about it until he made a call to the web host to transfer a domain to a different registrar. The rep in question was experiencing difficulties, and at that point, Bryant realized he had received emails containing his payloads.
“Blind XSS payloads act more like mines which lie dormant until someone triggers them,” Bryant added.
The mines had been stepped on, delivering the code — and breaking the rep’s support page in the process.
If exploited, the blind XSS flaw allowed attackers to have the same rights, privileges and controls as any GoDaddy customer representative.
This is the same as giving a hacker the keys to an account; as reps are able to do anything from modifying account information, viewing all details stored within the account, and deleting it altogether.
After reporting the issue at the end of last year, GoDaddy said the XSS flaw was a complicated issue requiring the input of several teams from both front and back-end development.
Minor changes were released on 20 April to mitigate the problem and a full fix was pushed out on 25 April, 2016.
How can companies prevent themselves from becoming exploited in such a fashion? According to the security researcher, the standard method is contextually-aware output encoding, but preventing payloads being stored at all — through encoding every system properly — can prevent many exploits.
“Obviously, ideally you would have both, but for companies with many services drawing from the same data sources you can get a lot of win with just a little filtering. This is the approach that GoDaddy took for remediation, likely for the same reasons.”
Read on: Top picks