Security vulnerabilities reported through responsible disclosure

From: Disclosure <disclosure_at_dk-hostmaster.dk>
Date: Tue, 9 Oct 2018 13:43:33 +0000

During the summer months, we received a number of reports from a registrar through our responsible disclosure proces. We are very grateful for receiving those reports, which allowed us to fix potential security vulnerabilities. I would encourage anyone, who finds a potential vulnerability, to contact us through our dedicated channels: https://www.dk-hostmaster.dk/en/responsible-disclosure-security-vulnerabilities

The issues that were reported and since fixed were:
- Registrar handle shown to 3. party registrar through EPP in certain conditions.
- XSS vulnerability in an input form on our self-service portal.
- Tailgating 2FA when second user uses same browser as an already verified user.



Med venlig hilsen / Best regards

Erwin Lansing
Head of security & technical advisor


[cid:image001.png_at_01D407D6.ABC8B400][cid:image008.png_at_01D407D6.CD80C0B0] [cid:image009.png_at_01D407D6.CD80C0B0]

DK Hostmaster A/S • Ørestads Boulevard 108, 11. sal • 2300 København S
+45 33 64 60 58 • erwin_at_dk-hostmaster.dk<http://hostmaster.dk> • www.dk<http://www.dk>-hostmaster.dk<http://hostmaster.dk>
[cid:image007.png_at_01D407D6.ABC8B400]

This is an email from DK Hostmaster A/S. This message may contain confidential information and is intended solely for the use of the intended addressee. If you are not the intended addressee, please notify the sender immediately and delete this e-mail from your system.


image001.png
(image/png attachment: image001.png)

image008.png
(image/png attachment: image008.png)

image009.png
(image/png attachment: image009.png)

image007.png
(image/png attachment: image007.png)

Received on Tue Oct 09 2018 - 15:43:33 CEST

This archive was generated by hypermail 2.3.0 : Tue Mar 24 2020 - 08:55:05 CET