Access GoDaddy account managed to get through Photoshop
Recently, an article was published on how to bypass the multi-level security system of the largest GoDaddy registrar using Photoshop.
The author of the article, Steve Reagan, conducted an experiment: he asked a friend, security specialist, Winnie Troy, director of Night Lion Security, to hack his account. The hacking was successful, and all it took was a call to tech support and a few hours of work in Photoshop.
The recovery procedure was easy. The conversation with the girl from the technical support began with the confirmation of personal data, easily accessible through Whois. When an e-mail address was needed, to which the domain was registered and which Troy did not know, he entered the role of an upset subordinate, who was not given full information, and about complex rules within the organization. The noise of the playing daughter during the conversation also created a suitable atmosphere in order to suppress the technical support operator with pity.
People are the most vulnerable link in any security system. This also applies to technical support operators. Their task is only to help customers and facilitate the solution of their problems. Expressing suspicions to customers and blaming them is not their responsibility. In most organizations, the operator simply does not have the right to refuse the client, based only on their suspicions.
This feature of the work of operators is often used by fraudsters.
')
Next, the operator asked Troy to give the PIN code and the last digits of the credit card from which the domain was purchased. He replied that he did not know either one or the other, since the domain was registered by the assistant for him. “I apologize for not being able to provide you with the necessary information, and for the fact that my daughter is noisy all the time,” he said.
After that, she sent Troy to a page through which the domain owner can restore their rights to it by submitting a photo of an identity document.
About four hours it took the hacker to fake a driver's license in the name of Steve Reagan. He also created a Gmail email address and Google+ account in his name. This was done in order to create the illusion of the presence of Troy on the network as Steve Reagan.
The operator is satisfied with the data. Nobody checked the correspondence of the photo in the “certificate” made in Photoshop to the real photo of Reagan. There were no other checks on the identity of the applicant.
Her last question was the data on the legal entity for which the domains were registered. Troy also honestly replied that he had no information about this. To which she herself went to meet the hacker, saying that this is a common thing, and many register domains for non-existent firms.
After that, the account was re-registered to the postal address of Troy, and he got full access to it. The operation completed successfully.
It is worth noting that Steve Reagan received a notification about the change of account data immediately, but only after a few days. If the hacking were real, it would most likely be impossible to return the domains: they would have already been sold or transferred to another registrar.
The function of restoring access through a document photo is unreliable, and many registrars do not use it just because everyone can draw anything in Photoshop. However, GoDaddy, the world's largest registrar, has one. This feature was introduced so that users can restore domain rights registered many years ago. Users often do not remember old credit card numbers and other data.
However, the risk of hacking GoDaddy accounts with its help is very high, and the registrar should change this procedure. Interestingly, for example, Network Solutions also restores domain rights through personal documents, only they need to be faxed, and not upload photos from a computer.
Steve Reagan reported that the article was written in order to identify a problem that could lead to the abduction of multiple domains. In order to protect his domains, he recommends using all the additional services offered by the registrar, and in advance be interested in what can be done in case of a domain theft.
The author of the article, Steve Reagan, conducted an experiment: he asked a friend, security specialist, Winnie Troy, director of Night Lion Security, to hack his account. The hacking was successful, and all it took was a call to tech support and a few hours of work in Photoshop.
The recovery procedure was easy. The conversation with the girl from the technical support began with the confirmation of personal data, easily accessible through Whois. When an e-mail address was needed, to which the domain was registered and which Troy did not know, he entered the role of an upset subordinate, who was not given full information, and about complex rules within the organization. The noise of the playing daughter during the conversation also created a suitable atmosphere in order to suppress the technical support operator with pity.
People are the most vulnerable link in any security system. This also applies to technical support operators. Their task is only to help customers and facilitate the solution of their problems. Expressing suspicions to customers and blaming them is not their responsibility. In most organizations, the operator simply does not have the right to refuse the client, based only on their suspicions.
This feature of the work of operators is often used by fraudsters.
')
Next, the operator asked Troy to give the PIN code and the last digits of the credit card from which the domain was purchased. He replied that he did not know either one or the other, since the domain was registered by the assistant for him. “I apologize for not being able to provide you with the necessary information, and for the fact that my daughter is noisy all the time,” he said.
After that, she sent Troy to a page through which the domain owner can restore their rights to it by submitting a photo of an identity document.
About four hours it took the hacker to fake a driver's license in the name of Steve Reagan. He also created a Gmail email address and Google+ account in his name. This was done in order to create the illusion of the presence of Troy on the network as Steve Reagan.
The operator is satisfied with the data. Nobody checked the correspondence of the photo in the “certificate” made in Photoshop to the real photo of Reagan. There were no other checks on the identity of the applicant.
Her last question was the data on the legal entity for which the domains were registered. Troy also honestly replied that he had no information about this. To which she herself went to meet the hacker, saying that this is a common thing, and many register domains for non-existent firms.
After that, the account was re-registered to the postal address of Troy, and he got full access to it. The operation completed successfully.
It is worth noting that Steve Reagan received a notification about the change of account data immediately, but only after a few days. If the hacking were real, it would most likely be impossible to return the domains: they would have already been sold or transferred to another registrar.
The function of restoring access through a document photo is unreliable, and many registrars do not use it just because everyone can draw anything in Photoshop. However, GoDaddy, the world's largest registrar, has one. This feature was introduced so that users can restore domain rights registered many years ago. Users often do not remember old credit card numbers and other data.
However, the risk of hacking GoDaddy accounts with its help is very high, and the registrar should change this procedure. Interestingly, for example, Network Solutions also restores domain rights through personal documents, only they need to be faxed, and not upload photos from a computer.
Steve Reagan reported that the article was written in order to identify a problem that could lead to the abduction of multiple domains. In order to protect his domains, he recommends using all the additional services offered by the registrar, and in advance be interested in what can be done in case of a domain theft.
Source: https://habr.com/ru/post/253663/
All Articles