Why is it so easy to hack Cloudflare accounts?

I had a domain with a website. I deleted the website (hosting and A record) and removed the domain from CF. I kept the nameservers just in case I need to go back in the future. BIG MISTAKE! Someone between June or July added my domain to his account and created a redirect to his illegal website. Now Google results of my old website are filled with auto-generated text and URLs. Fortunately I discovered that and deleted the NS in my registrar, so any link is down now.
CF says that that’s not possible because when someone tries to add a domain that already has CF nameservers it requests to change them to another random pair.
I ask CF security team to investigate the account that currently has the domain miniver.org. The nameservers where never changed: eva.ns.cloudflare.com & mark.ns.cloudflare.com

Besides that, how is it possible to add domains to my account that are not mine?
I searched WHOIS Search, Domain Name, Website, and IP Tools - Who.is and found a domain that has the same nameservers. I was able to add it to my account, although CF said that NS update was pending. I also was able to see the real IPs of that domain.

Hi @user9220,

If your nameservers point to Cloudflare and the domain is not added to an account, that creates a security risk. Is it not “easy to hack Cloudflare accounts”, this is not an account compromise. It is never safe to point a domain to nameservers that you do not control. If you remove the domain from your account, you no longer control them.

If your domain is active in an account with a nameserver pair, that pair will not be assigned to anyone else trying to add the same domain because you control it. As soon as you remove the domain, you no longer control that.

You can add any domain, it does not mean that it will become active in your account. If it’s active on another account, you will be assigned a different nameserver pair to get it working on your own.

Exactly.

6 Likes

This is the most interesting thing I’ve heard in a long time in this type of post. It makes sense from a security standpoint, but I’ve not heard it before. Where did you hear this?

2 Likes

I believe I have written it somewhere, which is the behaviour I experienced at the time.

1 Like

Can anyone explain why these hacked domains have different NS in the registrar from those assigned by CF?
Screenshot_2021-08-01 intoDNS oynabet30 com - check DNS server and mail server health

intodns.com/persianup.com
persianup.com, oynabet30.com, prosportsaddicts.com (just to mention a few)
You can see a pattern: abandoned domains with CloudFlare nameservers that redirect to other website. Also they have thousands of indexed pages with spinned text.

This is why.

This is not a Cloudflare specific problem. If the owner of a domain points the domain at Nameservers that they don’t control them they are leaving the domain open to hijacking.

4 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.