3. Attacker creates CF account and somehow gets assigned the same nameserver.
4. Once the ___domain expires, CF allows it to be assigned to a new CF account.
5. Domain comes back online with same nameservers.
6. Attacker adds ___domain to their CF account and now controls DNS because the nameservers stayed the same but CF allowed a new controlling entity.]
I butchered that explanation but whether that's a loophole, exploit or just an "issue" I'm glad it's solved.
CF says they now no longer allow previously used nameservers to be used again. The only problem with this is if someone swaps CF accounts hundreds/thousands of times and "runs out" of custom names.
> CF says they now no longer allow previously used nameservers to be used again. The only problem with this is if someone swaps CF accounts hundreds/thousands of times and "runs out" of custom names.
It’s not necessary for Cloudflare to remember or to reject all previously assigned name servers: Cloudflare can simply fetch the ___domain’s cached NS records before DNS enrollment and refuse to assign them again.
2. CF assigns "semi permanent" nameservers like: bob.cloudflare.com
3. Attacker creates CF account and somehow gets assigned the same nameserver.
4. Once the ___domain expires, CF allows it to be assigned to a new CF account.
5. Domain comes back online with same nameservers.
6. Attacker adds ___domain to their CF account and now controls DNS because the nameservers stayed the same but CF allowed a new controlling entity.]
I butchered that explanation but whether that's a loophole, exploit or just an "issue" I'm glad it's solved.
CF says they now no longer allow previously used nameservers to be used again. The only problem with this is if someone swaps CF accounts hundreds/thousands of times and "runs out" of custom names.