Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Namesilo] Discovered a potential vulnerability, what to do? [RESOLVED]
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Namesilo] Discovered a potential vulnerability, what to do? [RESOLVED]

lifehomelifehome Member
edited August 2016 in Help

Hello all,

Recently I have discovered a low-medium potential vulnerability at Namesilo, what should I do to report properly, without leaking the info out? I tried to ask PGP key from Namesilo, but unfortunately they don't have one.

Should I just type in all the report stuff in their contact form? Or mail their "Customer Support" department?

--lifehome

Comments

  • @lifehome said:
    Hello all,

    Recently I have discovered a low-medium potential vulnerability at Namesilo, what should I do to report properly, without leaking the info out? I tried to ask PGP key from Namesilo, but unfortunately they don't have one.

    Should I just type in all the report stuff in their contact form? Or mail their "Customer Support" department?

    --lifehome

    Report to : [email protected]

    I had reported a XSS a month back and used that email.

    They have a pretty good team . We got $50 credit :)

    Thanked by 1lifehome
  • GCatGCat Member

    Email their security department (if they have any, if not then support), put in the specific details, ideally including a proof of concept, steps to reproduce, and full details on how you achieved this vulnerability, and the type of vulnerability

    Thanked by 1lifehome
  • @lifehome said:
    Hello all,

    Recently I have discovered a low-medium potential vulnerability at Namesilo, what should I do to report properly, without leaking the info out? I tried to ask PGP key from Namesilo, but unfortunately they don't have one.

    Should I just type in all the report stuff in their contact form? Or mail their "Customer Support" department?

    --lifehome

    Make a new thread at LET including all of the details, how to replicate etc. Once you do that i'm sure they will fix in 5 minutes.

  • GCatGCat Member

    @zafouhar said:

    @lifehome said:
    Hello all,

    Recently I have discovered a low-medium potential vulnerability at Namesilo, what should I do to report properly, without leaking the info out? I tried to ask PGP key from Namesilo, but unfortunately they don't have one.

    Should I just type in all the report stuff in their contact form? Or mail their "Customer Support" department?

    --lifehome

    Make a new thread at LET including all of the details, how to replicate etc. Once you do that i'm sure they will fix in 5 minutes.

    Only do that if they refuse to fix it, post it on full disclosure, it'll get patched quickly

    Thanked by 1lifehome
  • AnthonySmithAnthonySmith Member, Patron Provider

    yeah... don't post it publicly please. I am sure they will listen.

    Thanked by 3lifehome tux netomx
  • MadMad Member
    edited August 2016

    You should contact directly them via "customer service" department or [email protected] (same queue). They will escalate it to the internal team for sure, this is the best way to do it.

    Thanked by 1lifehome
  • joepie91joepie91 Member, Patron Provider

    Bit concerning that they don't have a security contact or PGP key... but yes, report it to them privately first. If they don't fix it within a few weeks or so (and you've informed them of the deadline), then disclose it publicly.

  • Sent, and for best I hope namesilo fix this, don't want anybody suffer from this. (tho it's a minor vulnerability

    @joepie91 said:
    Bit concerning that they don't have a security contact or PGP key... but yes, report it to them privately first. If they don't fix it within a few weeks or so (and you've informed them of the deadline), then disclose it publicly.

    Yea, I still afraid my HAR files will be sniffed. :paranoid:

  • FlamesRunnerFlamesRunner Member
    edited August 2016

    @lifehome

    I will destroy you if you post the vulnerability out here (partially because I have domains with Namesilo) so no worries ;)

  • Hmmm...now that I was thinking about transferring some of my domains to Namesilo. Has to wait to see if this will get fixed.

  • lifehomelifehome Member
    edited August 2016

    @myhken said:
    Hmmm...now that I was thinking about transferring some of my domains to Namesilo. Has to wait to see if this will get fixed.

    I just tested and the bug is still "working". I think you worth a wait. :/
    (I think I better keep my mouth shut, the more I type the more I disclose, damn.)

  • tnx

  • NekkiNekki Veteran
    edited August 2016

    @lifehome said:

    @myhken said:
    Hmmm...now that I was thinking about transferring some of my domains to Namesilo. Has to wait to see if this will get fixed.

    I just tested and the bug is still "working". I think you worth a wait. :/
    (I think I better keep my mouth shut, the more I type the more I disclose, damn.)

    Did you actually anticipate them fixing it in less than an hour?

  • Do let us know what it was, when they've fixed it.

    I'm wondering whether it allows you to get stuff free, or control other people's domains etc.

  • Where is the Namesilo refugee thread?!

  • @traceray said:
    Where is the Namesilo refugee thread?!

    Godaddy is the future! :D

  • @myhken said:

    @traceray said:
    Where is the Namesilo refugee thread?!

    Godaddy is the future! :D

    I'd rather point all my domains to AthenaLayer than go with GoDaddy

  • Used Godaddy for the last 14-15 years or so. (30+ domains) Mostly because of all the free stuff you got before, and good coupons. But have planned to move my domains to Namesilo this year,

  • @myhken said:
    But have planned to move my domains to Namesilo this year,

    Good decision (y)

    Thanked by 1netomx
  • lootloot Member

    If it's minor it probably isn't even as bad as the fact that you can socially engineering past their actual 2FA and google past their 2nd. Still, cheap and lots of control and if anyone really wants cheapspitefuldomains.com they can have it.

  • @traceray said:
    Where is the Namesilo refugee thread?!

    Dont worry. Delimiter will be here soon

    Thanked by 1vpsGOD
  • lifehomelifehome Member
    edited August 2016

    @loot said:
    If it's minor it probably isn't even as bad as the fact that you can socially engineering past their actual 2FA and google past their 2nd. Still, cheap and lots of control and if anyone really wants cheapspitefuldomains.com they can have it.

    All I can disclose, is that APT attacks defensive(incl. social engineering) and 2FA can be omitted because of this vulnerability.

  • The vulnerability has been fixed. However there's no bounty to this, unlike @Caster :(

    I'm very sad now.

    The vulnerability is about subaccount manager, and domain portfolio. Where an attacker can utilize an logged in account, or old credentials to login as a subaccount userlevel. From there as subaccounts has no 2FA available setting up, it's very weak for subaccounts to be protected away from attacks.

    Steps to reproduce

    • First, you create a subaccount user, and delegate a portfolio to that user.
    • Use another browser to login as the subaccount user, and surf around the control panel.
    • While the subaccount user still logged in, and cookies are in tact, session is not expired; Go back to the main account and delete the subaccount user.
    • (result) The subaccount user will still be logged in, and having access to originally granted pages.
    Thanked by 1Amitz
  • AnthonySmithAnthonySmith Member, Patron Provider
    edited August 2016

    Hmm, I wonder if whmcs handles sub accounts in a similar way.

Sign In or Register to comment.