The Risks of Domain Masking in Kajabi Checkout 2.0Aug 23, 2020
You probably haven't noticed that you can swap the domain name of your Kajabi Checkout to ANY domain name that's linked under Kajabi.
Yup, ANY custom domain names CNAME'd with Kajabi's endpoint, including the mykajabi.com subdomains.
Not only your domains and subdomains, but even the ones owned by other Kajabi users.
I guess this has been the case ever since the new Kajabi launched the checkout pages. It was here all along that I can't call it a vulnerability or a bug.
So here's my take on this quirk and how it poses certain risks that may outweigh its few use cases.
Very Few Benefits
I came across this quirk feature when I am playing around the Embed Checkout Forms Hack. I noticed that accessing your checkout pages using your custom domains and mykajabi subdomains are possible. And so with the other domain names under Kajabi.
I can imagine this is useful when changing domain names while having existing checkout pages. If you made campaigns and advertisements that used your old domain name, changing it to a new one will NOT break those advertisement links because Kajabi allows for swapping domain names.
Another benefit is when you have multiple domain names of the same business or site. You have the freedom to use the domain name that suits your branding, provided these domain names are under Kajabi. So say you are under Kajabi Pro plan and you have 3 sites with custom domains:
You may have a signature course on public speaking at myname.com then offer it in your other Kajabi site at mybusiness.com together with other business branded courses. Then you decide to have a special launch at your niche society using the same offer. You can do all these without cloning your course and checkout page. Just change the domain name to suit your purpose.
Last useful case is when migrating Kajabi sites or Kajabi accounts. Just like the first example regarding changing your domain names, migrating your accounts may break checkout urls if not for this quirk feature. Though it is not possible to migrate accounts yourself because Kajabi does not offer it in the admin pages or settings, I believe on extraordinary cases you can chat with support to do it for you.
Because anyone can just swap any Kajabi-linked domain names to any Kajabi checkout page, this exposes our sites to spoofing.
There are two types of spoofing that can be done:
- A rogue checkout page hiding under a valid domain name - A malicious attacker creates a fake checkout page and uses a valid domain name or mykajabi.com subdomain to masquerade the fake checkout page. Scenario 1 and 2 below explains how it might be done.
- Rogue domain name spoofing a valid checkout page - A malicious attacker creates a custom domain in Kajabi and uses it to spoof checkout pages from other people. Scenario 3 and 4 corresponds to this type of attack.
There's a temporary fix that I made for the first type of spoofing. The second type can only be solved by Kajabi disabling domain masking for checkout pages that we don't own (and allowing only for the domains and subdomains under our account.
Disclaimer: All scenarios here are hypothetical and fictitious. The dummy examples are well controlled by me and no accounts were harmed, touched, or exploited in any manner beyond what were described here.
So let's say John Doe, a malicious solopreneur, wants to sell his designs and templates. He can then spoof Mary's domain name and use it as if he is one of Mary's virtual assistants.
John Doe will sign up for a trial Kajabi account, using his disposable prepaid Visa card, creates a rogue checkout page and mask it's domain name using Mary's domain name. He now creates a 1-week campaign on FB.
But John Doe is smart to exclude Australia in geotargeting, Mary's office base, so that Mary and her team will not notice this spoofing. John Doe even made his mykajabi subdomain as "maryunlimited.mykajabi.com" so it will look as if it's really managed by Mary.
John Doe's final act is to exit after his 28-day trial of Kajabi, cashing in a few hundred bucks from his dummy PayPal account.
Take Note: the rule of thumb is that the one who owns the checkout page is always the one who gets the money. Despite using different domain names, the sale will always go to the one who owns the checkout page. The owner of the domain name will not even be notified about this sale nor be notified that the domain is being used in such a weird malicious way.
Well, unless you configured your domain name in Cloudflare and created a logging mechanism using Cloudflare Workers (more to this hack as a temporary fix for domain masking, later in this post...)
Jane Doe is a bitch. She has a long time grudge with Jenny Master and its revenge time. Jane Doe created a dummy checkout page and masks its domain name with "jenny-master-funnels.com". Jane Doe disguises as Jenny's gatekeeper of projects and orients the victims that their project will start after 14 days from the line-up or they can be on the priority list, 7 days earlier by paying a rush service fee.
Of course, Jenny is a big name. The victims wanted the master so much because the web designs are really to die for. And Jane Doe is good at fooling people as a gatekeeper. Jane Doe cashed out after 14 days and left the victims angry.
Jane Doe got her cash and sabotaged Jenny's reputation as a revenge.
This time the attacker is the owner of the domain name, Jack Rip. He wanted to show his local clients that he is affiliated with Billy Gene and sells the Geneius programs along the "Ripper" programs, by Jack Rip of course.
He masquerades Billy Gene's one time offer that's using Kajabi Checkout and masks it with his domain name, TheAdsRipper.com.
Now remember that the sales always go to the owner of the checkout page? Yup, the sales will always go to Billy Gene. But what is the benefit of this with Jack Rip?
Jack Rip controls his domain name using Cloudflare and does the following attacks:
- He added his own FB pixel and Google Tags. That steals away FB leads from Billy and it goes to Jack now.
- Then he changed the headlines to look as if he is an official reseller.
- He added a code that automatically captures email addresses, names, and phone numbers typed in the Kajabi checkout form.
So Jack Rip is after leads, not sales. He is after upselling those leads with his own programs in the future.
Jack Rip has a new course called "Reap Your Ads Success By Ripping." His lead generation tactics is simple: create a dummy free offer page, find 5 top selling Kajabi heroes, copy their FB ads down to the details, then create a similar FB ads using the masked dummy offer.
No one will notice that the FB ads running is fake. The domain names are legit but the checkout page that has a free offer magnet is not.
It's hard to notice this. Jack Rip knows how to rip leads and make it his own.
What Did I just Read???
Okay I know you were surprised to read possible attacks that can be done with this quirk in Kajabi.
The purpose of this blog post is to make you aware that you can be a victim of this malicious activities and therefore we need to protect ourselves and our Kajabi Sites.
The above scenarios are not meant for you to follow. Would you like to sell non-existing vitamin supplements for money? Or be a bitch like Jane Doe? Or create a masterclass about ripping lead generation using dark techniques? Of course not!
Issue Submitted to Kajabi (Case #34869)
By the time you read this, I have reported the case to Kajabi already. They know this already but it will take a matter of time for them to "fix" this.
It will be faster if many of us will upvote this in the Feature Request Section of Kajabi. The submitted request is under this link: https://portal.feedback.us.pendo.io/app/#/case/34869
My Temporary Fix
This temporary fix is only possible for Cloudflare users. If your domain is not under Cloudflare, then this hack-fix will not be possible.
I also remind everyone that this fix only superficially solves the first type of spoofing. There is no fix for the second type other than Kajabi resolving this issue.
The mykajabi.com subdomains are also not protected by this fix. There's no way to do that other than Kajabi doing something about it.
This fix can only allow the domains and subdomains that you declare. It will NOT protect your checkout pages, the domains of other people, and the checkout pages of others.
Here's how you do it. Follow it step by step by step.
Step 1: Login to Cloudflare and select your domain name that's linked with your Kajabi account.
Step 2: Go to Apps and search for "Add HTML" app.
Step 3: Click the app and add it to your domain name. The app is installed in your Cloudflare account.
Step 4: This is the tricky part. Copy the settings in this image to your left dashboard.
Step 5: Click the "All Pages" selector and type your domain name followed by "/offers". For example in my domain it's www.jasongo.net/offers
- Once you manually type the domain name, click the "Add" button. Then click "Update Page List" button. Then click Done.
- Nope, it's not yet finished. Do Step 5 again by clicking "All Pages" selector in the left dashboard. Then once the dialog box appears like this below, check the "/offers" selection ONLY.
- Yours should look something like this, of course with your own domain.
- Then click Done.
Step 6: You know you did right in step 5 if you see "/offers" in the previous select box (remember it's All Pages initially).
Step 7: Copy the code below to the HTML Code part in the left dashboard.
Step 8: As you can see starting at lines 14-17, these are the custom domains and subdomains where in their checkout pages are allowed to use your Cloudflare domain.
For example, checkout pages originally from https://www.sparkreviewcenter.com/offers/Sq62UpCR/checkout can be masked with my Cloudflare domain https://www.jasongo.net/offers/Sq62UpCR/checkout.
This is possible because we declared in the code above the allowed checkout forms under our Cloudflare domain.
USUALLY, there will be only 2 URLs listed in the code -- your domain name and your mykajabi.com subdomain. Place only the checkout page's domain that you own.
Don't forget the single quotes and the comma sign after it so that syntax error will not happen.
Step 9: Click "Save changes on all pages". Then once you see a dialog box like below, don't forget to click "Continue". It's the true save button here! All steps above are saved when you click the Continue button in the dialog box.
Step 10: Verify if the fix is working by affixing other checkout pages under Kajabi that you DON'T include their domains in code. If everything works fine, then your custom domain under Cloudflare should redirect other checkout pages to a 404 Page Not Found.
You may see temporarily the checkout page but it will be redirected to 404. Even if the user stops the browser, the payment codes in that checkout page will stop as well, rendering the page useless.
Step 11: And that's for your first domain name. If you have other custom domains, you need to repeat all the 10 steps for each one of them. Note that the domain names in Step 8 are the authorized domains of checkout pages and NOT the protected domain. The protected domain is the Cloudflare domain you selected in Step 1.
And again, as a reminder, this is a partial temporary fix. It does not protect and there's no way to protect mykajabi.com subdomains. It also does NOT protect you from type 2 spoofing mentioned above.
So why can't we have a temporary fix for type 2 spoofing?
In the temporary fix above, our Cloudflare domain has the final power to scan the contents of the html, detect whether it came from another domain name, then block it.
Is it okay not to do this fix?
I give you the liberty to assess your own risks and decide whether to use the temporary fix or not.
By this time, Kajabi knows the issue already and may come up with a solution in a matter of time.
Awareness is also very important. Malicious users will now be cautious to do similar scenarios above because they know the Kajabi community are more aware on what to do, what may happen, and what to watch out for.
What are the other steps we can do aside from technical fixes?
As you can see in the 4 scenarios, all of them have the element of social engineering. At some point, there's a loophole in the business process that allowed a third party to exploit that to their advantage.
Hypothetically, Scenario 1 and 2 happened because there might be no clear sales conversion process. Usually, websites have a one-stop email address or contact number that's also communicated with all checkout pages and sales pages. Other websites have a dedicated page about what to expect before, during, and after sales. Potential buyers will be suspicious if anyone like John Doe or Jane Doe do something like a gatekeeper work when in fact your website tells a different business process and after sales activities.
Scenario 3 and 4 can be mitigated by constantly communicating with you clients and students regarding what's happening to your business. A good onboarding process also helps them know what to expect inside your products and memberships. Unlike in Scenario 1 and 2 where the legitimate business owner may not have any idea what's going on (the buyers info are in the rogue checkout), in Scenario 3 and 4 the information still goes to the business owner's lead database. However, the information that these people got may have been tampered by the rogue domain. Constant communication and a good onboarding process will give everyone the hint of what is expected and what is malicious.
In all scenarios, the attackers used social media to advertise and get leads by spoofing domains and checkout pages. John Doe even made sure his ads don't appear in Australia so Mary will not be alerted for some time. In these cases, the power of Kajabi community will be very useful. We can be vigilant to what is happening around us and help each other stay safe. If you see something strange, don't hesitate to report it to Kajabi Support and the people involved.
Is Kajabi safe to use for our business?
Yes it is. Only the checkout pages can be masked by another domain. Doing the same masking with assessments, forms, and landing pages will not work. If you substitute the domain name part of your form with my domain name www.jasongo.net, you will surely get a 404 page or something similar. The login pages, the course products, and the membership URL pages are not affected. The email links can't be spoofed as well.
In this blog post I discussed the risks of domain name masking in Kajabi checkout pages. Domain name masking allows anyone to swap domain names and mykajabi.com subdomains to ANY domain names or subdomains that are linked with Kajabi, regardless these domains are associated with the same Kajabi account or not. This poses two types of spoofing as described in four hypothetical scenarios. I submitted requests with Kajabi regarding this issue and have offered you a temporary fix for the type 1 spoofing. There is no possible temporary fix for type 2 spoofs and no possible way to protect mykajabi.com subdomains. I urge the Kajabi community to upvote the request here: https://portal.feedback.us.pendo.io/app/#/case/34869. I also call for the Kajabi community to help each other stay safe.
If you want to stay updated with what I'm doing and experimenting with everything Kajabi, please subscribe to my blog here:
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.