Comments on: Network Solutions Security Hole Allows Domain Hijack

By: skyshipper

skyshipper — Wed, 05 May 2010 07:55:32 +0000

great post,indeed an eye opener, almost like a sequence from a thriller although a dark one,but registrants are supposed to keep whois updated and accurate, guess original registrant has to share blame as well, but great post

By: chandan

chandan — Sat, 10 Apr 2010 14:08:06 +0000

i have seen several domains which have dropped domains as email address. its best to use our ISP email in account access

By: Attila

Attila — Wed, 31 Mar 2010 16:59:48 +0000

Wow, that is quite clever. Although, the only thing anyone can do is the previous owner, and he can only scream fraud as the other person mis-represented himself to be someone who he is not.

However once you cross borders (country lines), its nearly impossible to go after the individual when it concerns fraudulently impersonating an identity.

Can possibly go to ICANN and NetSol to plead your case, but I doubt they will care unless the domain is a really high level name.

By: Jamie Zoch

Jamie Zoch — Tue, 30 Mar 2010 22:25:41 +0000

@ Ms Domainer,
Thank you! Most whois emails addresses displayed are not the same email address on file for an account, which is a good thing. If you do use the same email address as you do for your registrar account, you should change it. NSI is one registrar that easily allows anybody (yes anybody) access to a specific email address that IS used for an account for a domain name. I didn’t go into detail about this in my post, as that is the biggest security loop hole. I am not aware of obtaining an email address via Moniker, GoDaddy (the two I use) that I know of.

By: Ms Domainer

Ms Domainer — Tue, 30 Mar 2010 22:03:59 +0000

Jamie,

Great job!

I have always thought that email addresses ought to be hidden in the Whois record, perhaps a changing link similar to that of some privacy services.

That way, people could still email you, but the email itself would be hidden from nefarious eyes.

It just seems to me that registrars ought to take more care in protecting its customers’ property without gouging them for it.

On the other hand, the owner should have double checked his/her email address, and when he or she did not receive emails from the registrar, it should have been a red flag.

It’s a shame for the past owner and something that all registrars should look into, not just NSI.

By: Jamie Zoch

Jamie Zoch — Tue, 30 Mar 2010 21:24:50 +0000

@Shashi,
Since the domain name was registered at NSI, it is IMO. Secondly, there is a loop hole that I think, is and can be a problem providing a domains account admin contact email address and I am only aware of it at NSI. If you would like me to post it, I gladly will but I’m sure many will not be safe if I did. I agree it in not NSI’s fault the admin email was outdated, but when a password reset is done and whois details are changed that day as well, some kind of reg flag should go up. IP tracking, Payment from etc potentially all could have raised a red flag.

By: Jamie Zoch

Jamie Zoch — Tue, 30 Mar 2010 21:18:42 +0000

@Kevin,
I am not sure how or what “all registrars” process is but it clearly could be a problem with some. NSI has a loop hole that I did not include in my story for a reason and is likely what provides somebody the ability to see the email address of the admin (which can and often is different than the one displayed in whois).

By: Shashi Bellamkonda

Shashi Bellamkonda — Tue, 30 Mar 2010 21:16:43 +0000

Hi Jamie,

It is not accurate to categorize this as a Network Solutions security hole. I work for Network Solutions and we advise all domain registrants to always keep their account info updated. If your email domain name has expired you may have bigger issues than just your domain name registration. You may want to include this link where we have posted simple tips to protect domain name registration no matter who your domain name registrar is. http://blog.networksolutions.com/2008/8-tips-to-protect-your-domain-registration/ and could be useful to your readers.

Thanks,

Shashi

By: Jamie Zoch

Jamie Zoch — Tue, 30 Mar 2010 21:14:06 +0000

@Ross,
Theft or “stolen” etc are strong words and ones I didn’t feel comfortable using… so yes, it may be considered theft but I am also not a lawyer and didn’t read the TOS that closely.

By: Domains

Domains — Tue, 30 Mar 2010 21:11:43 +0000

Brett Lewis covered this type of theft in CircleID a couple of years ago, but not in as much detail:

http://www.circleid.com/posts/help_domain_name_hijacked/

Good investigation and example.

By: TeenDomainer

TeenDomainer — Tue, 30 Mar 2010 21:06:31 +0000

Great find I’m amazed someone pulled that off.

By: Ross

Ross — Tue, 30 Mar 2010 20:54:34 +0000

Is this considered theft since the person is not the original owner of the domain and someone accessed the other persons aacount? I believe the person that did this is a member of the domaining community.

By: Kevin

Kevin — Tue, 30 Mar 2010 20:46:22 +0000

Good investigative work there.

But is it not fair to say this is a security problem common to all registrars (or indeed any web site that allows password resets) and not specific to just NSI?

By: sing

sing — Tue, 30 Mar 2010 20:23:05 +0000

this was a great find indeed.

Love ur blog, and u basically win me as ur regular visitor to your blog with ur investigated post.

cheers