Massive Security Vulnerability at Register.com

A client of mine graciously tipped me off to this unbelievable problem
within Register.com's billing system.

Our company maintains the domain names for dozens of our clients. We
manage these domain names under one common username and password, and
access to the Register.com domain manager is isolated to one
individual... one username, one password. We thought this was the
most secure, most convenient way to manage these domain names for our
clients.

Our clients, however, are listed as billing contacts. The billing
contact is not supposed to have any access to the domain manager
system. They do not have usernames or password to access anything
within the system. This, also, seems only logical, since the billing
contact is frequently an individual with Accounts Receivable in the
accounting departments at our clients.

Long before the domain name is due to expire, the billing contact
receives an email. (When I say, "Long," I mean very, very long
before. Sometimes just a few months into the registration period.)

In this email is a link, "Click here and renew". If the recipient
clicks this link, (or anyone to whom this email is forwarded by the
recipient clicks this link,) he is forwarded to a web page at
Register.com that displays ALL OF THE DOMAINS registered under the
username used by the "expiring" domain. For us, this means that when
one our clients receive a notice to renew their domain name, they gain
access to the entire list of domains.

But it gets worse.

If you click "Modify SafeRenew Settings", you receive another link,
"Back to Domain Manager".

If you click on "Back to Domain Manager", you are placed in the
full-access Domain Manager. You never needed to submit a username or
password to do so. You can change DNS records, etc., all without ever
needing to submit a username or password.

What a disaster.

Google

In article <>,
says...
> A client of mine graciously tipped me off to this unbelievable problem
> within Register.com's billing system.
>
> Our company maintains the domain names for dozens of our clients. We
> manage these domain names under one common username and password, and
> access to the Register.com domain manager is isolated to one
> individual... one username, one password. We thought this was the
> most secure, most convenient way to manage these domain names for our
> clients.
>
> Our clients, however, are listed as billing contacts. The billing
> contact is not supposed to have any access to the domain manager
> system. They do not have usernames or password to access anything
> within the system. This, also, seems only logical, since the billing
> contact is frequently an individual with Accounts Receivable in the
> accounting departments at our clients.
>
> Long before the domain name is due to expire, the billing contact
> receives an email. (When I say, "Long," I mean very, very long
> before. Sometimes just a few months into the registration period.)
>
> In this email is a link, "Click here and renew". If the recipient
> clicks this link, (or anyone to whom this email is forwarded by the
> recipient clicks this link,) he is forwarded to a web page at
> Register.com that displays ALL OF THE DOMAINS registered under the
> username used by the "expiring" domain. For us, this means that when
> one our clients receive a notice to renew their domain name, they gain
> access to the entire list of domains.
>
> But it gets worse.
>
> If you click "Modify SafeRenew Settings", you receive another link,
> "Back to Domain Manager".
>
> If you click on "Back to Domain Manager", you are placed in the
> full-access Domain Manager. You never needed to submit a username or
> password to do so. You can change DNS records, etc., all without ever
> needing to submit a username or password.
>
> What a disaster.
>



nice.



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

"Colonel Flagg" <> wrote in
message news:.. .
> In article <>,
> says...
> > A client of mine graciously tipped me off to this unbelievable problem
> > within Register.com's billing system.
> >
> > Our company maintains the domain names for dozens of our clients. We
> > manage these domain names under one common username and password, and
> > access to the Register.com domain manager is isolated to one
> > individual... one username, one password. We thought this was the
> > most secure, most convenient way to manage these domain names for our
> > clients.
> >
> > Our clients, however, are listed as billing contacts. The billing
> > contact is not supposed to have any access to the domain manager
> > system. They do not have usernames or password to access anything
> > within the system. This, also, seems only logical, since the billing
> > contact is frequently an individual with Accounts Receivable in the
> > accounting departments at our clients.
> >
> > Long before the domain name is due to expire, the billing contact
> > receives an email. (When I say, "Long," I mean very, very long
> > before. Sometimes just a few months into the registration period.)
> >
> > In this email is a link, "Click here and renew". If the recipient
> > clicks this link, (or anyone to whom this email is forwarded by the
> > recipient clicks this link,) he is forwarded to a web page at
> > Register.com that displays ALL OF THE DOMAINS registered under the
> > username used by the "expiring" domain. For us, this means that when
> > one our clients receive a notice to renew their domain name, they gain
> > access to the entire list of domains.
> >
> > But it gets worse.
> >
> > If you click "Modify SafeRenew Settings", you receive another link,
> > "Back to Domain Manager".
> >
> > If you click on "Back to Domain Manager", you are placed in the
> > full-access Domain Manager. You never needed to submit a username or
> > password to do so. You can change DNS records, etc., all without ever
> > needing to submit a username or password.
> >
> > What a disaster.
> >
>
>
>
> nice.
>
>
>
> --
> Colonel Flagg


yuhuh

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

Dumbass Register.com... I dropped them looooong time ago....

R Green

"Google" <> wrote in message
news: om...
> A client of mine graciously tipped me off to this unbelievable problem
> within Register.com's billing system.
>
> Our company maintains the domain names for dozens of our clients. We
> manage these domain names under one common username and password, and
> access to the Register.com domain manager is isolated to one
> individual... one username, one password. We thought this was the
> most secure, most convenient way to manage these domain names for our
> clients.
>
> Our clients, however, are listed as billing contacts. The billing
> contact is not supposed to have any access to the domain manager
> system. They do not have usernames or password to access anything
> within the system. This, also, seems only logical, since the billing
> contact is frequently an individual with Accounts Receivable in the
> accounting departments at our clients.
>
> Long before the domain name is due to expire, the billing contact
> receives an email. (When I say, "Long," I mean very, very long
> before. Sometimes just a few months into the registration period.)
>
> In this email is a link, "Click here and renew". If the recipient
> clicks this link, (or anyone to whom this email is forwarded by the
> recipient clicks this link,) he is forwarded to a web page at
> Register.com that displays ALL OF THE DOMAINS registered under the
> username used by the "expiring" domain. For us, this means that when
> one our clients receive a notice to renew their domain name, they gain
> access to the entire list of domains.
>
> But it gets worse.
>
> If you click "Modify SafeRenew Settings", you receive another link,
> "Back to Domain Manager".
>
> If you click on "Back to Domain Manager", you are placed in the
> full-access Domain Manager. You never needed to submit a username or
> password to do so. You can change DNS records, etc., all without ever
> needing to submit a username or password.
>
> What a disaster.

R Green - WoWsat.com

On Sat, 22 Nov 2003 15:50:11 GMT, "R Green - WoWsat.com"
<news@***wowsat.com> wrote:

>Dumbass Register.com... I dropped them looooong time ago....

and they are expensive too !

--
Jim Watt http://www.gibnet.com

Jim Watt