1. Domain owner signs up for CF

2. CF assigns "semi permanent" nameservers like: bob.cloudflare.com

3. Attacker creates CF account and somehow gets assigned the same nameserver.

4. Once the domain expires, CF allows it to be assigned to a new CF account.

5. Domain comes back online with same nameservers.

6. Attacker adds domain to their CF account and now controls DNS because the nameservers stayed the same but CF allowed a new controlling entity.]

I butchered that explanation but whether that's a loophole, exploit or just an "issue" I'm glad it's solved.

CF says they now no longer allow previously used nameservers to be used again. The only problem with this is if someone swaps CF accounts hundreds/thousands of times and "runs out" of custom names.

I'm replying to my own comment as I've had some new thoughts on how these attackers could have pulled it off.

1. Attacker registers hundreds/thousands of free CF accounts.

2. Each account gets assigned random CG nameservers (some dupes obviously)

3. Attacker than loads the assigned nameservers into a tool that looks for domains using those nameservers.

4. Attacker monitors those domains for accidental expirations.

5. Once expired, attacker adds domain in the CF account that matches the existing nameservers.

6. Once renewed domain comes back online, attacker controls DNS at Cloudflare.

> CF says they now no longer allow previously used nameservers to be used again. The only problem with this is if someone swaps CF accounts hundreds/thousands of times and "runs out" of custom names.

It’s not necessary for Cloudflare to remember or to reject all previously assigned name servers: Cloudflare can simply fetch the domain’s cached NS records before DNS enrollment and refuse to assign them again.

> Once the domain expires

If the domain is expired, someone else can buy it. This is normal. I don't understand where the attack is.