Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts.
Researcher Matthew Bryant said that a riff on a cross-site scripting attack called a blind XSS was to blame. A GoDaddy customer, Bryant wrote on Sunday on his blog that Name fields on a particular GoDaddy page accepted and stored a cross-site scripting payload. He left a generic payload behind, akin to leaving a mine that isn’t triggered until someone steps on it.
As it turns out, no one stepped on the mine until Bryant needed to make a legitimate support call to GoDaddy. The rep on the phone could not access his account, and at the same time Bryant was getting email alerts that his almost-forgotten payloads had fired.