

GoDaddy CSRF Vulnerability Allows Domain Takeover - zuck9
http://breakingbits.net/2015/01/18/taking-over-godaddy-accounts-using-csrf/

======
ireflect
Good find and nice writeup, but this disclosure timeline is pretty harsh!

 _> 01/17/15 [Saturday] Initial discovery and attempt to reach GoDaddy
security.

> 01/18/15 [Sunday] Further attempts to reach GoDaddy security, finally
> received word there was no timeline for a fix._

That GoDaddy acknowledged the issue after only a day (over a weekend, no less)
is impressive. Surely they deserve another few days to figure out a timeline
for a fix.

~~~
xordon
> 1/19/15 [Monday] GoDaddy implemented CSRF protection for sensitive account
> actions.

------
Joona
Reddit discussion:
[https://www.reddit.com/r/netsec/comments/2sz6n0/godaddy_csrf...](https://www.reddit.com/r/netsec/comments/2sz6n0/godaddy_csrf_vulnerability_allows_domain_takeover/)

------
crivabene
I wonder if this vulnerability is in some way related to the Gigya.com domain
takeover by the SEA happened in November.

