How did I hack Godaddy 2-step Authentication of my own account

In this blog, I describe step by step how I could hack my Godaddy account’s 2-step authentication and take the control back from the hacker as well as sharing my analyzation about Godaddy’s Security Level

Couple of days ago, one of the Godaddy account that I am managing got hacked :( The reason is simple: Password is too weak and no 2-step authentication is turned on. The hacker got in the account and turned on the 2-step authentication (without changing the password) so I can not login or even reset my password (they also ask for 2-step authentication code when I try to reset password from the email request).

First action I take is locking the bank card linked to the account. Then next action is to call for support from GoDaddy but they said they couldn’t help if we don’t have the 2-step authentication code. So I was thinking if I can hack the account back myself without asking for “Daddy’s help anymore :)

Now the purpose for this hack is clear: Find a way to turn off the 2-step authentication of the hacked account.

Start analyzing Godaddy’s Security Level

First of all, I start analyzing their Login API, the endpoint: https://sso.godaddy.com/v1/api/idp/login. The API doesn’t have any spam filter layer or throttling mechanism so I can call it as many times as I want. But the hacker didn’t change the password so I don’t need to brute force the password back — good :)

So their login API is so bad, it make me more confident to keep analyzing deeper into their 2-step authentication API. The endpoint of this API is: https://sso.godaddy.com/v1/api/idp/my/token. This API is called from the website with some headers which is the result when login successfully using the above Login API, and Of course the pincode is also included in this. I use another GoDaddy account to analyze the behavior from the 2-step auth API. There is 2 cases:

1- Pin code is correct: Return a JWT token (with id,…. bla bla bla)

2- Pin code is incorrect: Return the error code 500!??? The most interesting part is the headers information is not revoke when the API is called (no matter the Pin code is correct or not), so I only need to call the Login API once to get the headers and put it into the 2-step Auth API and use it forever

Seem good :) this 2-step auth API is also doesn’t have any security layer about spam filtering or throttling…

Analyze Godaddy Dashboard and how to use the JWT token correctly

The next step is to learn how to use the JWT token in the Daddy’s Dashboard. First I use the other account of mine to see how the web store the cookies and how it was calling API to turn on/off the 2-step authentication.

When analyzing the API https://sso.godaddy.com/v1/api/idp/my/setting for setting things, I realize that all the API got a header named Cookies and look like they attach the cookie information for all API call request. One of the variables name auth_idp, which has a value look like a JWT token! So I install a plugin to see all of the cookies of the dashboard, there are many cookies but only 3 cookies seem interesting are: auth_idp, info_idp, lls_idp. I tried to remove the lls_idp and the dashboard still working normally, info_idp is the cookie for storing account’s information such as name, username,… and doesn’t have any special role but to show information on the Dashboard web. So the only think matter here is the auth_idp. I tried to remove it and I completely out of the account.

Only the auth_idp cookie is important

So the task is clear, I just need to replace the auth_idp with the JWT Token of my hacked account to take control of everything :)

Start brute force the Pincode to get the JWT Token

So the way to get the JWT Token is simple, brute force the pin code :)

As the 2-step Auth API doesn’t revoke the header information so I can request the login API once and setup a simple code to brute force the pincode to get JWT Token

So what is the good way to generate pin code, the pin code is a 6-digit value so it has a range from 0 to 999999:

1- Generate it from 0 to 999999, this is a bad way, also we can not split the task to many workers to work at the same time

2- Sharding the range for workers, worker 1 generate from 0 to 1000, worker 2 generate from 1001 to 2000,… but still very bad to manage

3- Simply generate the pin code randomly, the Correct Pincode keep changing for each 30 seconds randomly and we also randomly generate a pin code, so the chance to hit the correct pin code is still 1 / 1000000

I go with the 3rd solution, open the code editor and start a simple implementation in Golang:

So for every worker, I start a seed to random the pin code with the system’s Unix time (so I shouldn’t start all the workers at the same time to make them have different seeds)

I start 100 workers running in parallel in 5 different servers, so any worker got the pin code it will print out the JWT Token for me. The chance is 1/1000000, the time to call the 2-step auth API is ~ 1 second (yeah, it pretty slow). So the expected time I need to wait is 1000000 * 1 / 100 = 10000 seconds = ~2 hours and 45 mins.

Then I go to sleep and wait for around 4 hours, go to each server to check and… voila! there is one worker hit the pin code and got the JWT Token !!!

A worker from 100 workers hit the correct pin — 850116 :)

Then I open the Dashboard of Godaddy with the JWT Token that I got from the worker and be able to remove the 2-step authentication code setup by the hacker and add my 2-step authentication in => Take the full control back from the account finally.

In a nutshell, why I can get the control of my account back from the hacker

There are 3 reason:

1 — Security Level from Godaddy’s API is so bad, really bad with a global company level like Godaddy, they really should fix this ASAP

2 — The hacker didn’t change the account password, so I don’t have any challenge about brute force the password (which I still can do because of security level of Godaddy’s Login API is bad), but it may take forever if the hacker change the password to something much stronger. So I was lucky that the hacker didn’t change the password.

3 — I believe in probability :) that’s why I can calculate the expected time and sure that the brute force will work, actually it does.

Q&A

So is the Godaddy Security Layer bad?

Yes, it’s pretty bad, I will not recommend anyone to use it until they can fix the problem, as well as has better support when someone meet the situation like me (not much people can hack the account back when they didn’t get the support)

Godaddy is a global company and a service that should be top secure, if anyone can hack your domain, they can hack all your business. So I think they need to be more serious about the security of their clients.

If I got someone account password on GoDaddy with 2-step authentication on, could I hack their account?

Yes, you can, just do the same as what I did above. You probably can got access to the account.

So I can say 2-step authentication of Godaddy is useless?

Yes, you can, if you have the password of the account, 99% you can access to that account whether the 2-step authentication is turned on or not.

I am having an account on Godaddy with 2-step authentication, what should I do?

So my advice is to change your account password to something really strong and use phone verification to receive pincode for 2-step authentication so if someone brute force the pin code you will now instantly