- Status Closed
- Assigned To No-one
- Private
Opened by monty099 - 17.04.2025
Last edited by xlefloch - 28.04.2025
FS#156 - Security Report - Domain & site Transfer & Subscription Account Exploit Vulnerability
To: Alwaysdata Security Team
From: Mustafa
Date: [17 April 2025]
I would like to clarify that this vulnerability is completely different from the one reported in Report #151. In this case, the subscription account transfer invitation is sent first, followed by the domain transfer invitation while waiting for acceptance, which allows the exploitation of an unprotected time gap.
I also confirm that the vulnerability reported in Report #151 has been fixed.
Please review the details below.
–
### Executive Summary
A critical security vulnerability (High Risk) has been identified in Alwaysdata's domain and site and subscription account management system. This flaw allows an attacker to hijack a victim's domain without their knowledge by exploiting the account invitation transfer mechanism. Immediate action is required due to its direct impact on user data confidentiality and integrity.
—
### Vulnerability Details
#### Exploitation Mechanism
1. Attacker Setup:
- Account A: Used to send a subscription account transfer invitation to the victim (Account C).
- Account B: Used to receive a domain transfer invitation from Account A.
2. Attack Steps:
- Account A sends a subscription account transfer request to Victim C.
- Simultaneously (or before C accepts), Account A sends a domain transfer request to Account B.
- When Victim C accepts the subscription transfer, they believe they now own the domain and associated data.
- Meanwhile, the domain transfer request to Account B remains pending, invisible to C.
- After C adds sensitive data (emails, mailing lists, configurations), Account B accepts the domain transfer, seizing full control.
#### Why Is This Critical?
- The victim receives no warning about pending domain transfer requests.
- The attacker can choose the timing of the takeover (e.g., waiting until the victim adds critical data).
- All domain-linked services (email, websites, Mailman lists) become compromised.
—POC: https://admin.alwaysdata.com/support/86381/
### Impact Assessment
- High Risk per OWASP/CVE standards:
- Privacy Breach: Theft of emails and user data.
- Ownership Hijacking: "Legitimate-looking" domain transfer without user consent.
- No Traceability: The victim remains unaware until irreversible damage occurs.
—
### Proof of Concept (PoC)
- The scenario is practical and replicable in Alwaysdata's live environment.
- Requires minimal technical skill, only exploiting the timing gap in transfer requests.
—
### Recommended Fixes
1. Transfer Mechanism Patch:
- Block concurrent transfer requests (subscription + domain) for the same account.
- Add a conflict check before approving any transfer.
2. User Notifications:
- Immediately alert users of pending domain transfer requests.
- Show a clear warning during subscription transfers if a domain transfer is pending.
3. Grace Period:
- Implement a 24-hour delay for domain transfers with repeated owner notifications.
4. Retroactive Audit:
- Review past domain transfers for suspicious activity.
—
### Conclusion
This vulnerability severely undermines user trust and poses legal/financial risks. We urge treating it as a P1 priority and transparently informing users of security updates.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi team,
Any update to this report?
Thank you,
Hello,
The issue is valid and has been fixed.
Do you confirm?
Regards,
Hi,
I confirm the fix is working.
Best regards,
Mustafa
Hello,
Thank you for confirming the bug and applying the fix.
Could you please let me know the current status of the report? Is it ready to be closed?
Best regards,
Mustafa
Yes it is, we can continue via a support ticket.