Empower Your Business with 
In the vast, interconnected realm of the internet, online security is paramount. With our lives becoming increasingly digitized, ensuring the safety of our online assets has never been more critical. Today, we take a closer look at a popular web hosting service, GoDaddy, and a significant security issue that lies within its delegate access feature.
FYI, while this is my (Charles Musselwhite’s ) soul opinion and disposition on this topic I think it fair to share that I used the aid of The Creativity Maestro, The AGI Pioneer The Visionary Wordsmith, The Cyber Sage, The Idea Generator, The Linguistic Transformer, The Web Weaver, The Prompt Wizard, TheCode Interpreter also known as GPT-4
Understanding GoDaddy’s Delegate Access:
GoDaddy, a renowned website hosting provider, offers a beneficial feature known as ‘delegate access’. This feature allows a GoDaddy account holder to provide access to their account to another user, the ‘delegate’. The delegate can then manage certain aspects of the account on behalf of the account holder, providing a handy tool for collaborative work or third-party account management.
The Problem:
However, a significant security flaw exists within this system. Once a delegate’s work is complete, they are not able to close their access to the account. The revocation of delegate access is solely in the hands of the account holder. This means that if the account holder forgets to remove delegate access after the work is completed, the delegate retains their access, creating a potential security risk.
Implications of the Security Flaw:
This oversight in the delegate access feature creates a window for potential misuse of account access. If the account holder forgets to revoke delegate access, the delegate can access and manage the account indefinitely, potentially leading to unauthorized changes, data theft, or worse.
The Urgency to Address the Flaw:
It is crucial for GoDaddy to recognize this flaw and take immediate steps to address it. A potential solution could be providing delegates the ability to close their own access once their work is complete. Alternatively, GoDaddy could implement an automatic timeout feature, where delegate access is automatically revoked after a certain period of inactivity.
As users of online platforms, we must remain vigilant about our online security. As for GoDaddy, it is important for them to address this security flaw in their delegate access feature, to ensure the security and peace of mind of their users. After all, in the digital world, security is not a luxury – it’s a necessity.
My Actual Chat and Survey With GoDaddy Tech Support
20230515 – GoDaddy Chat session
Terminate a few delegate access accounts.
17:09
Hi Pooja
Pooja at 17:10, May 15:
Hello!
My Name is Pooja. May I know your name, please?
As we have seen, you have concerns about Domain.
How May I assist you Today?
You at 17:11, May 15:
Hi Pooja, my name is Charles. I have a few delegate access accounts that I’d like to relinquish my account.
Pooja at 17:11, May 15:
Here is the help article for Remove a delegate user from my account
https://www.godaddy.com/help/remove-a-delegate-user-from-my-account-19326
You at 17:11, May 15:
I am the delegate.
Pooja at 17:13, May 15:
Well, In that condition only admin will remove the access.
You at 17:15, May 15:
Ohhh, that’s not good. That is a security issue for the account holder. I was provided delegate access to several accounts to complete work on their behalf and now that we are complete I’d like to remove their access from my account as a security measure.
Pooja at 17:16, May 15:
We would request you to ask the clients to remove it from their end.
Here is the help article for Remove a delegate user from my account
https://www.godaddy.com/help/remove-a-delegate-user-from-my-account-19326
You at 17:18, May 15:
My dealings with these customers are complete and I will NOT be contacting them. If this is GoDaddy’s stance this is a glaringly POOR security issue.
Pooja at 17:18, May 15:
Please give us some time to check with our backend team.
You at 17:19, May 15:
If GoDaddy were smart (Yeah, I guess this was a snide remark) they provide both parties to a delegate access with the ability to remove themselves.
Pooja at 17:21, May 15:
Here is the help article to remove a delegate user from my account
https://www.godaddy.com/help/remove-a-delegate-user-from-my-account-19326
You at 17:22, May 15:
This is the same article link you’ve provided 3x times now. That is NOT what I am looking for.
I am the delegate.
Pooja at 17:24, May 15:
As we have checked with our dedicated team and higher authority. They shared the same information. the removal of the accounts only done by admin.
You at 17:25, May 15:
Like I said before this is a security problem created by GoDaddy and a POOR at that. How does it make sense that for GoDaddy to leave delegate access accounts exposed like this.
If one wanted to, one could disrupt accounts simply because one still has access. NOT good.
Pooja at 17:27, May 15:
We do understand your concern. I wish I could do this for you.
As we have checked with our dedicated team and higher authority. They shared the same information. the removal of the accounts is only done by the admin.
Well, If you want we will share the contact details of our calling team.
You at 17:28, May 15:
I’d like to raise this issue with the GoDaddy security team if there is one. In light of ALL the security concerns today I can’t believe this has NOT been addressed.
Pooja at 17:32, May 15:
We really apologize for the inconvenience. This is for security reasons.
We have already checked with our supervisors.
You at 17:32, May 15:
I understand you have already checked with your supervisors but there MUST be someone to take security concern recommendations.
If not, I feel compelled to write a blog about this simply to notify GoDaddy account holders of this security issue that could be exploited.
Pooja at 17:38, May 15:
We really apologize for the inconvenience. This is for security reasons.
To share your views If you want we will share the contact details of our calling team.
You at 17:39, May 15:
How is this for security reasons? Please explain to me how NOT being able to shut down delegate access on my side is for security purposes? Maybe I am missing something.
Pooja at 17:41, May 15:
Well, When the admin gives you access the email is sent with admin approval. For removal same process is going through.
You at 17:43, May 15:
The admin providing access is a security reason but not allowing the delegate to remove themselves is NOT a security reason.
Pooja at 17:45, May 15:
Well, This is the reason so that the admin may know who will access and who will not.
You at 17:45, May 15:
I can see you and I are only going to talk in circles. I don’t understand why you don’t this as a security issue and are hesitant to put in touch with a security representative. But I will not continue to waste your time or mine if you are unwilling to advance this conversation to someone that might be able to at least bring this to the attention of the GoDaddy security team.
Still NOT a security reason for not allowing delegates to close access.
You have to understand that.
Pooja at 17:47, May 15:
We are here to advise and assist you.
Our supervisors share the same information with us.
You at 17:47, May 15:
Thank you for your time Pooja but this has been a completely unproductive chat session.
Pooja at 17:47, May 15:
We really apologize for the inconvenience. This is for security reasons. We have already checked with our supervisors.
To share your views If you want we will share the contact details of our calling team.
You at 17:48, May 15:
You are still missing the point Pooja.
Conversation closed by you at 17:48, May 15:
Survey at 17:48, May 15:
Were we able to resolve the reason for your chat? (Yes/No)
You at 17:48, May 15:
No
Survey at 17:48, May 15:
Please rate your satisfaction with your GoDaddy Guide, 10 being the best. (0-10)
You at 17:48, May 15:
1
Survey at 17:48, May 15:
Please rate your satisfaction with your product experience, 10 being the best. (0-10)
You at 17:48, May 15:
1
Survey at 17:48, May 15:
Please enter your comments here
You at 17:52, May 15:
According to tech support, I as a delegate can NOT remove myself from an account that I was provided delegate access to. It makes complete that the account holder would need to provide delegate access for myriad reasons but once the work is complete, the delegate should be able to REMOVE themselves from this delegate account FOR SECURITY PURPOSES. For GoDaddy not to be able to see or understand this is a real concern and in my opinion a HUGE oversight. I am compelled to write a blog about this security flaw simply to help GoDaddy account holders understand the liability this creates.
Survey at 17:52, May 15:
Thank you for chatting with us.
To this date – 8/30/23, I have NOT heard from anyone at GoDaddy.
What to do next:
- Share this post on your favorite social media channel
- Email this post to someone that will find it helpful
- Leave a comment below (we read and respond)
- Schedule Your 15-minute Discovery Call!
Charles Musselwhite
Charles Musselwhite is an author, speaker and co-founder of Musselwhite Marketing (est 2009) along with his wife Linda Musselwhite, together they are “CaLM” (Charles and Linda M). He is the creator and author of the digital marketing 7 Pillar System. He subscribes to a “No Nonsense No Drama Marketing”.
Based on how they took a business from $400,000 (IN DEBT) to over $1,000,000 in bid work in 60-days he wrote:
Connect with Charles on LinkedIn.
