One of the Most Popular Domain Registrar and Web hosting Company NAMECHEAP was suffering from a Persistent Cross site scripting (XSS) in DNS setup page. The bug was so powerful that if exploited, attacker could have hijacked the domain name System server, update the DNS records and redirect the Incoming traffic to anywhere he wanted.

As of now Namecheap hosts more than 800,000 clients and manages more than three million domains, that could give an idea of how much damage that bug could have done, if it was found and exploited by Hackers.
Security Researcher ‘Henry Hoggard’, who reported this vulnerability to Namecheap in June, was Amazed to not to find any Security contacts to the website. and it took Over six months By Name Cheap to fix the bug. “I do not know why it took so long, but I had to go through the general customer support ticketing system to report it as I could not find a security contact for them. So that took a lot of time just to find the right person to report it to.” said Hoggard.

The bug was fixed by Namecheap security team few days back and No user Interaction is required to apply the patch.

In a personal blog post Hoggard published the proof of Concept the Bug 

The bug could have given an attacker the ability to hijack domain name system servers and redirect incoming traffic. or intercept email records

Namecheap has clarified on 24.12.2013 that cross site request vulnerability had been fixed much earlier to this report and has spelled out reasons for the vulnerability. You can read its reply here


Please enter your comment!
Please enter your name here