Sub-Domain Stealing
G
Gowtham Jakka
Currently anyone with a wildcard record added to their domain pointing to flash.funnels.msgsndr.com for convenience will be able to add multiple domains into GHL at once without adding those DNS records.
Any bad actor (GHL user) who recognizes this will be able to add multiple domains and could run unethical/illegal services using domains that don't belong to him/her. This is a security loophole and must be resolved immediately.
P.S. There are close to 20 domains of others in our group that have a wildcard DNS record. (could be more) and are vulnerable to this.
S
Simone Henry
Is this still the case?
G
Gowtham Jakka
Simone Henry: It was on the legacy platform, but needs to be tested after the move to Cloudflare for 'added security'. I've not moved over yet and unable to test but someone who's already done should be able to in theory.