- Joined
- Aug 24, 2007
- Messages
- 222
- Reaction score
- 52
Through DNProtect, we were just alerted to a 'scary' type of loophole in CloudFlare's service.
So here is how this security loophole is taken advantage of by scammers:
Someone decides to use Cloudflare. They open up an account (there are free and paid accounts). They point their domain names to the CF name servers. That's a requirement. But then the person forgets to add the domain name to their CF account. So, the domain is pointed to the CF name servers but is in "limbo" because it is not added to the account at Cloudflare. Or, they delete the domain name from the CF account but forget to change the name servers at the domain registrar. Either way, the domain is pointed but not associated with an account.
So, the 'scammer' looks through publicly available lists (usually DNS checkers, etc.) of domain names pointing to the CF name servers. They grab the list, then import the list of domain names to their Cloudflare account. Domain names that are pointed to the CF name servers but not associated with an account are then added to the scammer's account. The scammer then can see which domains were added to THEIR account, and even though they have NO control over the domain, they have control over the DNS and they can point the domain anywhere they want. They steal the traffic, can get all the emails, anything they want to do with the DNS of the domain.
So, to protect yourself, if you point your domain name to a certain name server, make sure that you have control over the DNS at the name server. So, if you point your domain to Cloudflare's name servers, make sure you add that domain to your Cloudflare account; or someone else may add it to their account.
This just happened to someone recently and we were notified about it. They pointed several of their domains to Cloudflare's name servers but forgot to add the domain to their CF account. So, someone else added to THEIR account, stealing all their traffic and taking over the DNS for their domains. In this case, the 'thief' didn't even have to have access to their domain, didn't have to hack their domain registrar account, etc..
So here is how this security loophole is taken advantage of by scammers:
Someone decides to use Cloudflare. They open up an account (there are free and paid accounts). They point their domain names to the CF name servers. That's a requirement. But then the person forgets to add the domain name to their CF account. So, the domain is pointed to the CF name servers but is in "limbo" because it is not added to the account at Cloudflare. Or, they delete the domain name from the CF account but forget to change the name servers at the domain registrar. Either way, the domain is pointed but not associated with an account.
So, the 'scammer' looks through publicly available lists (usually DNS checkers, etc.) of domain names pointing to the CF name servers. They grab the list, then import the list of domain names to their Cloudflare account. Domain names that are pointed to the CF name servers but not associated with an account are then added to the scammer's account. The scammer then can see which domains were added to THEIR account, and even though they have NO control over the domain, they have control over the DNS and they can point the domain anywhere they want. They steal the traffic, can get all the emails, anything they want to do with the DNS of the domain.
So, to protect yourself, if you point your domain name to a certain name server, make sure that you have control over the DNS at the name server. So, if you point your domain to Cloudflare's name servers, make sure you add that domain to your Cloudflare account; or someone else may add it to their account.
This just happened to someone recently and we were notified about it. They pointed several of their domains to Cloudflare's name servers but forgot to add the domain to their CF account. So, someone else added to THEIR account, stealing all their traffic and taking over the DNS for their domains. In this case, the 'thief' didn't even have to have access to their domain, didn't have to hack their domain registrar account, etc..
