New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Namesilo] Discovered a potential vulnerability, what to do? [RESOLVED]
Hello all,
Recently I have discovered a low-medium potential vulnerability at Namesilo, what should I do to report properly, without leaking the info out? I tried to ask PGP key from Namesilo, but unfortunately they don't have one.
Should I just type in all the report stuff in their contact form? Or mail their "Customer Support" department?
--lifehome
Comments
Report to : [email protected]
I had reported a XSS a month back and used that email.
They have a pretty good team . We got $50 credit
Email their security department (if they have any, if not then support), put in the specific details, ideally including a proof of concept, steps to reproduce, and full details on how you achieved this vulnerability, and the type of vulnerability
Make a new thread at LET including all of the details, how to replicate etc. Once you do that i'm sure they will fix in 5 minutes.
Only do that if they refuse to fix it, post it on full disclosure, it'll get patched quickly
yeah... don't post it publicly please. I am sure they will listen.
You should contact directly them via "customer service" department or [email protected] (same queue). They will escalate it to the internal team for sure, this is the best way to do it.
Bit concerning that they don't have a security contact or PGP key... but yes, report it to them privately first. If they don't fix it within a few weeks or so (and you've informed them of the deadline), then disclose it publicly.
Sent, and for best I hope namesilo fix this, don't want anybody suffer from this. (tho it's a minor vulnerability
Yea, I still afraid my HAR files will be sniffed. :paranoid:
@lifehome
I will destroy you if you post the vulnerability out here (partially because I have domains with Namesilo) so no worries
Hmmm...now that I was thinking about transferring some of my domains to Namesilo. Has to wait to see if this will get fixed.
I just tested and the bug is still "working". I think you worth a wait.
(I think I better keep my mouth shut, the more I type the more I disclose, damn.)
tnx
Did you actually anticipate them fixing it in less than an hour?
Do let us know what it was, when they've fixed it.
I'm wondering whether it allows you to get stuff free, or control other people's domains etc.
Where is the Namesilo refugee thread?!
Godaddy is the future!
I'd rather point all my domains to AthenaLayer than go with GoDaddy
Used Godaddy for the last 14-15 years or so. (30+ domains) Mostly because of all the free stuff you got before, and good coupons. But have planned to move my domains to Namesilo this year,
Good decision (y)
If it's minor it probably isn't even as bad as the fact that you can socially engineering past their actual 2FA and google past their 2nd. Still, cheap and lots of control and if anyone really wants cheapspitefuldomains.com they can have it.
Dont worry. Delimiter will be here soon
All I can disclose, is that APT attacks defensive(incl. social engineering) and 2FA can be omitted because of this vulnerability.
The vulnerability has been fixed. However there's no bounty to this, unlike @Caster
I'm very sad now.
The vulnerability is about subaccount manager, and domain portfolio. Where an attacker can utilize an logged in account, or old credentials to login as a subaccount userlevel. From there as subaccounts has no 2FA available setting up, it's very weak for subaccounts to be protected away from attacks.
Steps to reproduce
Hmm, I wonder if whmcs handles sub accounts in a similar way.