Massive Security Vulnerability at Register.com

Discussion in 'Computer Security' started by Google, Nov 21, 2003.

  1. Google

    Google Guest

    A client of mine graciously tipped me off to this unbelievable problem
    within Register.com's billing system.

    Our company maintains the domain names for dozens of our clients. We
    manage these domain names under one common username and password, and
    access to the Register.com domain manager is isolated to one
    individual... one username, one password. We thought this was the
    most secure, most convenient way to manage these domain names for our
    clients.

    Our clients, however, are listed as billing contacts. The billing
    contact is not supposed to have any access to the domain manager
    system. They do not have usernames or password to access anything
    within the system. This, also, seems only logical, since the billing
    contact is frequently an individual with Accounts Receivable in the
    accounting departments at our clients.

    Long before the domain name is due to expire, the billing contact
    receives an email. (When I say, "Long," I mean very, very long
    before. Sometimes just a few months into the registration period.)

    In this email is a link, "Click here and renew". If the recipient
    clicks this link, (or anyone to whom this email is forwarded by the
    recipient clicks this link,) he is forwarded to a web page at
    Register.com that displays ALL OF THE DOMAINS registered under the
    username used by the "expiring" domain. For us, this means that when
    one our clients receive a notice to renew their domain name, they gain
    access to the entire list of domains.

    But it gets worse.

    If you click "Modify SafeRenew Settings", you receive another link,
    "Back to Domain Manager".

    If you click on "Back to Domain Manager", you are placed in the
    full-access Domain Manager. You never needed to submit a username or
    password to do so. You can change DNS records, etc., all without ever
    needing to submit a username or password.

    What a disaster.
    Google, Nov 21, 2003
    #1
    1. Advertising

  2. In article <>,
    says...
    > A client of mine graciously tipped me off to this unbelievable problem
    > within Register.com's billing system.
    >
    > Our company maintains the domain names for dozens of our clients. We
    > manage these domain names under one common username and password, and
    > access to the Register.com domain manager is isolated to one
    > individual... one username, one password. We thought this was the
    > most secure, most convenient way to manage these domain names for our
    > clients.
    >
    > Our clients, however, are listed as billing contacts. The billing
    > contact is not supposed to have any access to the domain manager
    > system. They do not have usernames or password to access anything
    > within the system. This, also, seems only logical, since the billing
    > contact is frequently an individual with Accounts Receivable in the
    > accounting departments at our clients.
    >
    > Long before the domain name is due to expire, the billing contact
    > receives an email. (When I say, "Long," I mean very, very long
    > before. Sometimes just a few months into the registration period.)
    >
    > In this email is a link, "Click here and renew". If the recipient
    > clicks this link, (or anyone to whom this email is forwarded by the
    > recipient clicks this link,) he is forwarded to a web page at
    > Register.com that displays ALL OF THE DOMAINS registered under the
    > username used by the "expiring" domain. For us, this means that when
    > one our clients receive a notice to renew their domain name, they gain
    > access to the entire list of domains.
    >
    > But it gets worse.
    >
    > If you click "Modify SafeRenew Settings", you receive another link,
    > "Back to Domain Manager".
    >
    > If you click on "Back to Domain Manager", you are placed in the
    > full-access Domain Manager. You never needed to submit a username or
    > password to do so. You can change DNS records, etc., all without ever
    > needing to submit a username or password.
    >
    > What a disaster.
    >




    nice.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 21, 2003
    #2
    1. Advertising

  3. Google

    Mimic Guest

    "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    > > A client of mine graciously tipped me off to this unbelievable problem
    > > within Register.com's billing system.
    > >
    > > Our company maintains the domain names for dozens of our clients. We
    > > manage these domain names under one common username and password, and
    > > access to the Register.com domain manager is isolated to one
    > > individual... one username, one password. We thought this was the
    > > most secure, most convenient way to manage these domain names for our
    > > clients.
    > >
    > > Our clients, however, are listed as billing contacts. The billing
    > > contact is not supposed to have any access to the domain manager
    > > system. They do not have usernames or password to access anything
    > > within the system. This, also, seems only logical, since the billing
    > > contact is frequently an individual with Accounts Receivable in the
    > > accounting departments at our clients.
    > >
    > > Long before the domain name is due to expire, the billing contact
    > > receives an email. (When I say, "Long," I mean very, very long
    > > before. Sometimes just a few months into the registration period.)
    > >
    > > In this email is a link, "Click here and renew". If the recipient
    > > clicks this link, (or anyone to whom this email is forwarded by the
    > > recipient clicks this link,) he is forwarded to a web page at
    > > Register.com that displays ALL OF THE DOMAINS registered under the
    > > username used by the "expiring" domain. For us, this means that when
    > > one our clients receive a notice to renew their domain name, they gain
    > > access to the entire list of domains.
    > >
    > > But it gets worse.
    > >
    > > If you click "Modify SafeRenew Settings", you receive another link,
    > > "Back to Domain Manager".
    > >
    > > If you click on "Back to Domain Manager", you are placed in the
    > > full-access Domain Manager. You never needed to submit a username or
    > > password to do so. You can change DNS records, etc., all without ever
    > > needing to submit a username or password.
    > >
    > > What a disaster.
    > >

    >
    >
    >
    > nice.
    >
    >
    >
    > --
    > Colonel Flagg



    yuhuh

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
    Mimic, Nov 22, 2003
    #3
  4. Dumbass Register.com... I dropped them looooong time ago....

    R Green

    "Google" <> wrote in message
    news:...
    > A client of mine graciously tipped me off to this unbelievable problem
    > within Register.com's billing system.
    >
    > Our company maintains the domain names for dozens of our clients. We
    > manage these domain names under one common username and password, and
    > access to the Register.com domain manager is isolated to one
    > individual... one username, one password. We thought this was the
    > most secure, most convenient way to manage these domain names for our
    > clients.
    >
    > Our clients, however, are listed as billing contacts. The billing
    > contact is not supposed to have any access to the domain manager
    > system. They do not have usernames or password to access anything
    > within the system. This, also, seems only logical, since the billing
    > contact is frequently an individual with Accounts Receivable in the
    > accounting departments at our clients.
    >
    > Long before the domain name is due to expire, the billing contact
    > receives an email. (When I say, "Long," I mean very, very long
    > before. Sometimes just a few months into the registration period.)
    >
    > In this email is a link, "Click here and renew". If the recipient
    > clicks this link, (or anyone to whom this email is forwarded by the
    > recipient clicks this link,) he is forwarded to a web page at
    > Register.com that displays ALL OF THE DOMAINS registered under the
    > username used by the "expiring" domain. For us, this means that when
    > one our clients receive a notice to renew their domain name, they gain
    > access to the entire list of domains.
    >
    > But it gets worse.
    >
    > If you click "Modify SafeRenew Settings", you receive another link,
    > "Back to Domain Manager".
    >
    > If you click on "Back to Domain Manager", you are placed in the
    > full-access Domain Manager. You never needed to submit a username or
    > password to do so. You can change DNS records, etc., all without ever
    > needing to submit a username or password.
    >
    > What a disaster.
    R Green - WoWsat.com, Nov 22, 2003
    #4
  5. Google

    Jim Watt Guest

    On Sat, 22 Nov 2003 15:50:11 GMT, "R Green - WoWsat.com"
    <news@***wowsat.com> wrote:

    >Dumbass Register.com... I dropped them looooong time ago....


    and they are expensive too !

    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Nov 22, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Gates...not!  Email w/o whitelist in the subj

    MISSING Cisco Security Advisory: IPv6 Crafted Packet Vulnerability

    Bill Gates...not! Email w/o whitelist in the subj, Aug 1, 2005, in forum: Cisco
    Replies:
    1
    Views:
    433
    Martin Bilgrav
    Aug 1, 2005
  2. RB

    OE security vulnerability question

    RB, Sep 20, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    327
    Peter Young
    Sep 22, 2003
  3. Martin Bilgrav
    Replies:
    0
    Views:
    349
    Martin Bilgrav
    Aug 15, 2006
  4. Replies:
    0
    Views:
    438
  5. woo
    Replies:
    28
    Views:
    650
    Duane Arnold
    Dec 30, 2005
Loading...

Share This Page