Security vulnerabilities

To: Alwaysdata Security Team
From: Mustafa
Date: [17 April 2025]

I would like to clarify that this vulnerability is completely different from the one reported in Report #151. In this case, the subscription account transfer invitation is sent first, followed by the domain transfer invitation while waiting for acceptance, which allows the exploitation of an unprotected time gap.

I also confirm that the vulnerability reported in Report #151 has been fixed.

Please review the details below.

–

### Executive Summary
A critical security vulnerability (High Risk) has been identified in Alwaysdata's domain and site and subscription account management system. This flaw allows an attacker to hijack a victim's domain without their knowledge by exploiting the account invitation transfer mechanism. Immediate action is required due to its direct impact on user data confidentiality and integrity.

—

### Vulnerability Details
#### Exploitation Mechanism
1. Attacker Setup:

1. Account A: Used to send a subscription account transfer invitation to the victim (Account C).
2. Account B: Used to receive a domain transfer invitation from Account A.

2. Attack Steps:

1. Account A sends a subscription account transfer request to Victim C.
2. Simultaneously (or before C accepts), Account A sends a domain transfer request to Account B.
3. When Victim C accepts the subscription transfer, they believe they now own the domain and associated data.
4. Meanwhile, the domain transfer request to Account B remains pending, invisible to C.
5. After C adds sensitive data (emails, mailing lists, configurations), Account B accepts the domain transfer, seizing full control.

#### Why Is This Critical?
- The victim receives no warning about pending domain transfer requests.
- The attacker can choose the timing of the takeover (e.g., waiting until the victim adds critical data).
- All domain-linked services (email, websites, Mailman lists) become compromised.

—POC: https://admin.alwaysdata.com/support/86381/

### Impact Assessment
- High Risk per OWASP/CVE standards:

1. Privacy Breach: Theft of emails and user data.
2. Ownership Hijacking: "Legitimate-looking" domain transfer without user consent.
3. No Traceability: The victim remains unaware until irreversible damage occurs.

—

### Proof of Concept (PoC)
- The scenario is practical and replicable in Alwaysdata's live environment.
- Requires minimal technical skill, only exploiting the timing gap in transfer requests.

—

### Recommended Fixes
1. Transfer Mechanism Patch:

1. Block concurrent transfer requests (subscription + domain) for the same account.
2. Add a conflict check before approving any transfer.

2. User Notifications:

1. Immediately alert users of pending domain transfer requests.
2. Show a clear warning during subscription transfers if a domain transfer is pending.

3. Grace Period:

1. Implement a 24-hour delay for domain transfers with repeated owner notifications.

4. Retroactive Audit:

1. Review past domain transfers for suspicious activity.

—

### Conclusion
This vulnerability severely undermines user trust and poses legal/financial risks. We urge treating it as a P1 priority and transparently informing users of security updates.