You can take over any domain if it has the same NS


#1

So If you find a domain that has the same NS as the ones you are getting when you add new domain, you can control it !!

I just had domain stolen from the account! I was able to take it back simply by adding it again. NS did not change at all!


#2

I know this has come up before and Cloudflare has some safeguards in place.

Are you saying you had an active domain here with two Cloudflare Nameservers and it got hijacked?


#3

There are no safeguards! Client called me to tell me that some other website is loading instead of his! Domain was not on his account but I was able to add it again. HOW IS THIS POSSIBLE!!!


#4

There are definitely safeguards for this. You should email support @ Cloudflare from the account email address so that our support engineers canook into it.


#6

What is the point of those safeguards when my clients domain was stollen from his account. Those are the facts.


#7

@lupetalo I believe you should really contact Cloudflare’s support, as suggested, and get that clarified. If it happened as you described it might be a serious issue that needs addressing.

Once you have more information please post a follow-up here.


#8

I did contacted them, and pinged on twitter 10m after i found out about this. Here is what I wrote (left the names out)
Factss:

I got a call from a client telling me that some other site is loading on his domain (on this account)
I checked and it was true
When I got to the dashboard domain was not there and NS for the domain was not changed
Added the domain again and I got the access and info mail that it is active
Had to add all the dns entries again

This is really bad and i pinged you on twitter and community forums, but I got only response that you have some safeguards in place. That may be true but it did not helped me.

  1. How it is even possible for a person to even add the domain to cloudflare that belongs to another account?
  2. How are you protecting my domains from this when only mechanism of ownership are NS records that can be the same on multiple accounts.
  3. What are you going to do about this? How will you prevent someone from stealing my clients domain?

#9

Request #1575396


#10

So you did not contact their support? As suggested, do that and we should know more.


#11

The domain itself should never be affected (unless, of course, you use it for the email address associated with the domain management). In the worst case an attacker could get hold of your DNS records. Not saying that is good either though :slight_smile:


#12

That is enough to ruin someones business… Imagine your websites suddenly pointing to a adult website and nobody gets any notification of it until it is reported by a visitor. And nothing is changed… Same NS, same CF IP addresses. No way of knowing. Nightmare.


#13

I am not sure what we are still discussing here. I am not saying it is not potentially a serious issue, but you need to clarify this with Cloudflare’s support and once it has been determined what exactly happened I hope you can post a follow-up and that Cloudflare can take the necessary steps if there is an actual security problem.

Until then we can only rehash here.


#14

True.
Ill followup once I got anything from CF. It is a serious issue, there is no doubt about that.

So basically for some 600$ you can point 41k of other peoples domains to wherever you want…
https://www.robtex.com/premium/?q=karl.ns.cloudflare.com
https://www.robtex.com/premium/?q=kim.ns.cloudflare.com

Pay for those sheets, get what domains have both of those NS and we are all screwed…

I call that a big problem !

edit: @sandro Locking the thread does not fix the issue. I cant understand why are you pushing this under the rug. Are you blind not to see the issue?


#15

Sorry, but I’d classify this at this (repeatedly rehashing the same thing) point as bashing. There might be a problem, we dont know the full story yet. Contact Cloudflare’s support and get back here when you know more.

As we have exhausted the topic for now, I am temporarily(!) closing this as some cooling-off period might not be bad.


#16

#17

Oh for effs sake, your comments are bordering trolling at this point. I made pretty clear that I lock this thread only temporarily as you obviously need some cooling-off. Your allegations and accusations are without any reason or foundation. You have been told several times what to do, if you choose to do so is up to you.


#18

I know you can’t reply now, this topic will reopen in less than 24 hours (so that you can reply while having new information, since this is actually a big issue if it were to be confirmed, which I doubt, but still).

In the meantime I’d like to give you a bit of answers as far as I, in the User’s Community (I would please ask the Team, @ryan and @cloonan, to take a look), know about the safeguards.

When someone else asks to add a domain already on Cloudflare on another account (or two+ accounts add the same domain) different pairs of NS are issued (there are at least 2550 different combinations, but after a few add requests the action fails). At this point the previous configuration (be it another CF account or the previous DNS service) remains authoritative unless the NS requested are changed.

This is why I highly doubt the issue here is at Cloudflare’s end. There could have possibly be a theft of credentials (your fault, always use 2FA everywhere) to access Cloudflare or the Registrar. Someone could have done a mistake in the configuration. There are endless possibilities.

I’m agreeing with @sandro here, though. Coming here accusing of something without having any proof is not helping your case. Contact support, as you did, wait for a reply and report back since, being a solved issue on your client’s domain, waiting a few hours won’t harm you. It’s better getting the facts straight so that everyone can solve their eventual problems in security.

I have my doubts about this case since it would have already happened if it was that easy seeing Cloudflare’s size and high profile customers.


#19

This topic was automatically opened after 20 hours.


#20

@matteo
When someone else asks to add a domain already on Cloudflare on another account (or two+ accounts add the same domain) different pairs of NS are issued (there are at least 2550 different combinations, but after a few add requests the action fails). At this point the previous configuration (be it another CF account or the previous DNS service) remains authoritative unless the NS requested are changed.

  • I am always getting the same pair for all the domains on the same account, and it is not unreasonable that somebody can get the same pair. If you look at the logs for the domain I sent in the support ticket I am sure that you will find that the domain changed owner but not NS. Call me stupid but why is it even possible to add a domain that is already n someone else’s account? I worked @ ManageWP and there is no way to add a domain to the service if somebody else is having the same domain on his account.

This is why I highly doubt the issue here is at Cloudflare’s end. There could have possibly be a theft of credentials (your fault, always use 2FA everywhere) to access Cloudflare or the Registrar. Someone could have done a mistake in the configuration. There are endless possibilities.

  • Not possible. There were no logins other than my own, and I do get an email for any login from a new IP. NS was never changed @ registrar and no logins other than mine was not performed.

I’m agreeing with @sandro here, though. Coming here accusing of something without having any proof is not helping your case. Contact support, as you did, wait for a reply and report back since, being a solved issue on your client’s domain, waiting a few hours won’t harm you. It’s better getting the facts straight so that everyone can solve their eventual problems in security.

  • I have no access to your systems logs, I have only angry client that lost his domain for a few hours. And I do have a proof that the domain was removed from my account and then I readded it. So, in a way I do have a proof. And this is a PROBLEM, and support is not helpful at all. I got basically half-canned response, only a lecture about how your system works without any reference to the facts I mention.
    Support ticket is 1575396 and it is idle for some time now.
    Sorry if I came hard regarding this subject, but I can’t believe that NOBODY will actually look into this.

#21

You didnt “come hard”, you were rude und impolite.

I dont think this will be the case.

This is the community forum and thats why I suggested half a dozen of times to contact support and wait what they say. You apparently eventually did this. When did you contact them and on what plan are you?