- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by marchenaa - 25.01.2026
Last edited by cbay - 28.01.2026
Opened by marchenaa - 25.01.2026
Last edited by cbay - 28.01.2026
FS#288 - Improper domain ownership validation allows domain claim and blocking by unauthorized account
It is possible for an account to claim and reserve a domain name without proper ownership validation. Once claimed, the domain becomes unavailable for other accounts, including the legitimate owner.
This allows an attacker to block domains they do not own and potentially prevent legitimate users from using their domains on the platform.
Create two alwaysdata accounts: Account A and Account B. From Account A, add a domain that I own (example: evil.com). Complete the domain claim process WITHOUT performing any real ownership verification (no DNS TXT / HTTP challenge). Observe that the domain is marked as reserved or claimed by Account A. From Account B, attempt to add the same domain. The platform refuses the domain, even though no ownership verification was completed.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
You can add an external domain with no validation required as it doesn't harm anyone at this point.
It does prevent account B to add the same domain, but in that case, account B just needs to contact our support and we'll ask them to prove they own the domain (with a TXT challenge). If they do, we'll simply remove the domain from account A.
Kind regards,
Cyril