Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 17.04.2025
Last edited by xlefloch - 28.04.2025

FS#156 - Security Report - Domain & site Transfer & Subscription Account Exploit Vulnerability

To: Alwaysdata Security Team
From: Mustafa
Date: [17 April 2025]

I would like to clarify that this vulnerability is completely different from the one reported in Report #151. In this case, the subscription account transfer invitation is sent first, followed by the domain transfer invitation while waiting for acceptance, which allows the exploitation of an unprotected time gap.

I also confirm that the vulnerability reported in Report #151 has been fixed.

Please review the details below.

### Executive Summary
A critical security vulnerability (High Risk) has been identified in Alwaysdata's domain and site and subscription account management system. This flaw allows an attacker to hijack a victim's domain without their knowledge by exploiting the account invitation transfer mechanism. Immediate action is required due to its direct impact on user data confidentiality and integrity.

### Vulnerability Details
#### Exploitation Mechanism
1. Attacker Setup:

  1. Account A: Used to send a subscription account transfer invitation to the victim (Account C).
  2. Account B: Used to receive a domain transfer invitation from Account A.

2. Attack Steps:

  1. Account A sends a subscription account transfer request to Victim C.
  2. Simultaneously (or before C accepts), Account A sends a domain transfer request to Account B.
  3. When Victim C accepts the subscription transfer, they believe they now own the domain and associated data.
  4. Meanwhile, the domain transfer request to Account B remains pending, invisible to C.
  5. After C adds sensitive data (emails, mailing lists, configurations), Account B accepts the domain transfer, seizing full control.

#### Why Is This Critical?
- The victim receives no warning about pending domain transfer requests.
- The attacker can choose the timing of the takeover (e.g., waiting until the victim adds critical data).
- All domain-linked services (email, websites, Mailman lists) become compromised.

—POC: https://admin.alwaysdata.com/support/86381/

### Impact Assessment
- High Risk per OWASP/CVE standards:

  1. Privacy Breach: Theft of emails and user data.
  2. Ownership Hijacking: "Legitimate-looking" domain transfer without user consent.
  3. No Traceability: The victim remains unaware until irreversible damage occurs.

### Proof of Concept (PoC)
- The scenario is practical and replicable in Alwaysdata's live environment.
- Requires minimal technical skill, only exploiting the timing gap in transfer requests.

### Recommended Fixes
1. Transfer Mechanism Patch:

  1. Block concurrent transfer requests (subscription + domain) for the same account.
  2. Add a conflict check before approving any transfer.

2. User Notifications:

  1. Immediately alert users of pending domain transfer requests.
  2. Show a clear warning during subscription transfers if a domain transfer is pending.

3. Grace Period:

  1. Implement a 24-hour delay for domain transfers with repeated owner notifications.

4. Retroactive Audit:

  1. Review past domain transfers for suspicious activity.

### Conclusion
This vulnerability severely undermines user trust and poses legal/financial risks. We urge treating it as a P1 priority and transparently informing users of security updates.

Closed by  xlefloch
28.04.2025 09:26
Reason for closing:  Fixed

Hi team,

Any update to this report?

Thank you,

Admin

Hello,

The issue is valid and has been fixed.

Do you confirm?

Regards,

Hi,

I confirm the fix is working.

Best regards,
Mustafa

Hello,

Thank you for confirming the bug and applying the fix.

Could you please let me know the current status of the report? Is it ready to be closed?

Best regards,
Mustafa

Admin

Yes it is, we can continue via a support ticket.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing