GoDaddy Breach Exposed Managed WordPress Hosting Customers’ SSL Keys

GoDaddy’s data breach exposed SSL keys issued to an undisclosed but likely large number of active customers using its managed WordPress website hosting service. The incident has raised concerns about attackers hijacking domains to obtain ransomware or tricking them into credential theft and other malicious purposes.

GoDaddy, a major domain registrar and website hosting company, announced Monday that it discovered a data breach on Nov. 17 that exposed the data of 1.2 million active and inactive customers of managed WordPress. The exposed data included email addresses and customer numbers associated with WordPress accounts; the default WordPress administrator password set when the account was first configured; and SFTP and database usernames and passwords. SSL keys belonging to some of the 1.2 million affected customers were also compromised, GoDaddy said in a regulatory statement filed with the Securities and Exchange Commission.

The public company said it had reset all affected passwords and was issuing and implementing new certificates for customers whose SSL keys were compromised.

Attackers used the compromised password to gain access to the certificate provisioning system in GoDaddy’s managed WordPress legacy codebase, GoDaddy officials said. An investigation revealed that the attackers gained initial access to their environment on September 6 and remained undetected for more than 70 days until November 17.

“We are deeply sorry for this incident and for the concern it caused to our customers,” Demetrius Comes, GoDaddy’s chief information security officer, said in a statement filed with the SEC. “We will learn from this incident and Steps have been taken to strengthen our supply system with additional layers of protection.”

Given GoDaddy’s struggles with security over the past few years, it’s unclear how this assurance will resonate with customers. In May 2020, the company said it discovered a vulnerability affecting SSH credentials belonging to about 28,000 customers. The vulnerability occurred in November 2019 but was not discovered until April of the following year. In at least two other instances last year, the company’s employees offered scammers control of a handful of customers’ domains through social engineering.

Possibility of future problems
The biggest concern with its latest vulnerability is that attackers could use SSL credentials to impersonate a legitimate company’s domain for credential theft or malware distribution. Attackers could also use the keys to hijack domains and try to hold a ransom, security experts said.

“Affected companies need to replace these certificates with new certificates,” said Nick France, CTO of Sectigo SSL, adding that they should make sure to revoke the original certificates and generate brand new private keys.

Certificate revocation itself is a quick process, typically requiring between 24 hours and 5 days to replace compromised keys. GoDaddy is a certificate authority, and if all exposed SSL keys were issued by a company, it would be the one doing the revocation and re-issuance.

“It’s not clear if all of these compromised certificates and keys were from the GoDaddy CA, or if there were other certificates compromised,” France said. Many hosting companies provide customers with their own certificates, but also allow customers to choose to bring their own. “Until we know what constitutes a stolen certificate – their purpose and issuer – it’s difficult to say exactly who needs to take action,” he said.

Murali Palanisamy, chief solutions officer at AppViewX, said breaches like GoDaddy highlight the need for organizations to have a platform that can automate the certificate revocation and reissue process. Such incidents also illustrate why it might be a good idea for organizations to consider using short-lived digital certificates, so even if keys are compromised, an attacker’s ability to abuse them is time-limited.

“A typical certificate is valid for one year,” Palaniswamy said. If there is a vulnerability in the middle of the certificate life cycle, the hacker will have a valid certificate for more than six months.

“Short-term certificates like LetsEncrypt are valid for 90 days and renew automatically,” he said. Such certificates could be shortened to 30 days if needed, he said. “For short-lived certificates of 30 days,” he added, “shorter time windows can be used to conduct sophisticated attacks on exploited certificates.”

Leave a Reply

Your email address will not be published. Required fields are marked *