Gmail flaw leads to theft of domain name; GoDaddy steps in to return domain.
A “cracker”* used a deficiency in Gmail to steal a domain name this month. The theft was of DavidAirey.com, a popular graphic designer’s personal site that attracts a couple thousand unique visitors a day.
So how did it happen, and what can you do to protect yourself? Furthermore, how could a popular domainer site lead to even more lost domains?
First, here’s how it happened in a nutshell:
1. DavidAirey.com was registered through a webhost, ICDSoft.
2. The cracker contacted the webhost through a support ticket asking to unlock the domain and send the EPP transfer code.
3. The cracker compromised David Airey’s Gmail account to forward any domain transfer requests to his own email account.
4. The cracker transferred the domain to a GoDaddy account without Airey’s knowledge.
5. He then forwarded the domain to Bebu.net, a parked page at Sedo
Fortunately, Airey was able to work with GoDaddy to get the domain back. He’s lucky the domain was transferred to GoDaddy. Despite some of its flaws, at least GoDaddy isn’t a fly-by-night registrar.
The cracker was able to add a forwarding rule to Airey’s Gmail account, as Airey recounts on his blog. Airey also explains how to check that your account hasn’t been compromised.
Here’s what you can do to protect yourself:
1. Never use a free or hosted email account as your whois address. Instead, use a pop email address from a domain you own. Lock the heck out of that domain.
2. Never register a domain through a webhosting company. Webhosts are good (sometimes) at hosting web sites, but they are typically just domain resellers with lax domain security controls. A good domain registrar would never let someone simply e-mail them to unlock a domain and send the transfer code.
Now here’s the really scary part. A popular domain web site, DomainTools, could compromise your entire portfolio of domains. DomainTools offers a product called “Registrant Search” that allows anyone to purchase a list of domains registered by a particular person or with a particular email address. If Airey had a portfolio of domains, the cracker could have easily stolen all of his domains.
*I use the term “cracker” here to refer to a hacker with malicious intent. Using merely the term “hacker” would be like calling all domainers “cybersquatters”.