Unfinished Cloudflare account setup exploit

#1

Hi.
I just got a Copyright Infringement Notice related to a domain I own.
I went to check on the claim and this is what I think happened:
As I registered the domain, back in January, I initiated the DNS setup over at my registrar but somehow failed to complete the setup here at Cloudflare.
That is, my registrar had the DNS pointing to the Cloudflare servers, but I didn’t finish setting it up here.
Apparently, someone noticed that and completed the setup over their account.
So, my domain was pointing to Cloudflare’s ‘Andy’ and ‘April’ name servers, and someone pointed it to an IP address (5.45.84.69) hosting an illegal movies screening site.
I proceeded to finish my setup and the DNS now point to my web server.
Curiously I didn’t need to prove I was the rightful domain owner.
What mechanism is preventing someone to - having an account at Andy/April - being able to edit my DNSs?
Thanks

0 Likes

#2

What is your domain?

1 Like

#3

Hi Sandro,
Thanks for the heads-up.
I did search before posting, but used the wrong keywords apparently.
My domain is openprefab.com

0 Likes

#4

The linked thread hopefully addresses your concerns about a domain takeover.

As for your domain in particular. You registered it newly towards the end of January this year, however it appears to have been registered already before that since 2009.

At the beginning of February someone seemingly added your domain a second time to Cloudflare and was issued the nameservers nick and olga. I presume this was not you, right?
Considering that your domain’s last update matches the registration date I would assume this domain never verified on Cloudflare for that account, hence that person shouldnt have gained control over it.

3 Likes

#5

I did read the thread you suggested - Thanks.

I don’t have the tools to check the domain’s previous history - the free tools I know of have no record on this domain. The Wayback machine has nothing on it either.

If the problem had resulted in a simple unattended mess up - linking to another person’s site, I’d had nothing to worry about - just another whoopsie.

But the person that exploited this loophole is using it to his benefit - in my case, it was serving a movies streaming site, but it could be a porn site or other illegal/problematic service as well.

My intention here is to warn Cloudflare of this vector of attack - I don’t even think it’s Cloudflare’s fault - but there may exist other users that - like me - forgot to complete the setup and they are vulnerable as someone might be actively looking for these situations.

0 Likes

#6

Right now your domain points to Cloudflare’s proxy server and I presume the setup is correct, isnt it?

It would appear as if the domain pointed between the beginning of February and yesterday to 5.45.84.69. Was that IP address part of the complaint?

You might want to open a support ticket to clarify what happened with your domain on Cloudflare in February. Did it ever leave your account and was controlled by the account using nick and olga. If it did, the question should be how. If it didnt, the question should be why did it presumably point to aforementioned IP address (assuming you didnt set this yourself).

Also tagging @cloonan and @cscharff

2 Likes

#7

Thanks, Sandro

You have been quite helpful.

As for your two questions: yes and yes - I’ve now edited the addresses to point to a server I ‘own’, and the previous rogue IP was 5.45.84.69 (to which I have no relation).

If it helps, I’ll be available to answer any questions you or any support person might have, here or through PM.

1 Like

#8

If you opened a ticket I would suggest to post the ticket number here so @cloonan can track it.

At this point it would be important to know

  1. Has your domain ever been controlled by the account with the nameservers nick and olga. If it has, how come as it would seem the domain never had these nameservers assigned -> current whois following

     Updated Date: 2019-01-23T12:27:34Z
     Creation Date: 2019-01-23T12:27:31Z
     Registry Expiry Date: 2020-01-23T12:27:31Z
    
  2. If the domain was never controlled by aforementioned account, how did this IP address end up as a record, if we do not assume you set it (which you already made clear) or your account was compromised?

Unfortunately both are questions only Cloudflare can answer. Should you get a response to the ticket please post a follow-up and I am pestering @cloonan and @cscharff once more :slight_smile:

2 Likes

#9

Hi Sandro.

I’ve just finished submitting the ticket: 1658488.

0 Likes

#10

I think @sandro covered the timeline and sequence events very well. Sorry @goncalo.dumas for the issues you faced. Here is a good summary of what is in place to avoid this, Security in place to prevent Domain Hijacking.

Two key takeaways: domain ownership is determined through control of your name servers with your domain registrar and don’t change name servers until you’ve registered your zone on Cloudflare.

Finally, the actions you took @goncalo.dumas to re-add your zone to your account were spot-on.

2 Likes

#11

Ok, thanks for the fast reply to my ticket.

It was pretty comprehensive: my bad.

I’ll just paste here part of your e-mail that I find most informative.

"(…)
We never recommend updating your nameservers to point to Cloudflare’s nameservers without first adding the domain to your Cloudflare account. Anyone can sign up domains to Cloudflare. When you point to Cloudflare nameservers without first adding the domain to Cloudflare, you are effectively opening up DNS control to whomever signs up the domain first on our platform. This is what happened with your domain in February.

To resolve the issue, first add the domain to your account before updating DNS to point to Cloudflare’s nameservers.
(…)"

Again, thanks for all the support!

2 Likes

closed #12

This topic was automatically closed after 30 days. New replies are no longer allowed.

0 Likes