Gmail flaw leads to theft of domain name; GoDaddy steps in to return domain.
A “cracker”* used a deficiency in Gmail to steal a domain name this month. The theft was of DavidAirey.com, a popular graphic designer’s personal site that attracts a couple thousand unique visitors a day.
So how did it happen, and what can you do to protect yourself? Furthermore, how could a popular domainer site lead to even more lost domains?
First, here’s how it happened in a nutshell:
1. DavidAirey.com was registered through a webhost, ICDSoft.
2. The cracker contacted the webhost through a support ticket asking to unlock the domain and send the EPP transfer code.
3. The cracker compromised David Airey’s Gmail account to forward any domain transfer requests to his own email account.
4. The cracker transferred the domain to a GoDaddy account without Airey’s knowledge.
5. He then forwarded the domain to Bebu.net, a parked page at Sedo
Fortunately, Airey was able to work with GoDaddy to get the domain back. He’s lucky the domain was transferred to GoDaddy. Despite some of its flaws, at least GoDaddy isn’t a fly-by-night registrar.
The cracker was able to add a forwarding rule to Airey’s Gmail account, as Airey recounts on his blog. Airey also explains how to check that your account hasn’t been compromised.
Here’s what you can do to protect yourself:
1. Never use a free or hosted email account as your whois address. Instead, use a pop email address from a domain you own. Lock the heck out of that domain.
2. Never register a domain through a webhosting company. Webhosts are good (sometimes) at hosting web sites, but they are typically just domain resellers with lax domain security controls. A good domain registrar would never let someone simply e-mail them to unlock a domain and send the transfer code.
Now here’s the really scary part. A popular domain web site, DomainTools, could compromise your entire portfolio of domains. DomainTools offers a product called “Registrant Search” that allows anyone to purchase a list of domains registered by a particular person or with a particular email address. If Airey had a portfolio of domains, the cracker could have easily stolen all of his domains.
*I use the term “cracker” here to refer to a hacker with malicious intent. Using merely the term “hacker” would be like calling all domainers “cybersquatters”.
Gevorg Harutyunyan says
Please vote here: http://gmailrulz.blogspot.com
Seb says
That is extremely dangerous.
We and others have asked many times DomainTools to add an opt-out feature in registrant search.
This tool is dangerous for domain owners and it violates all privacy laws.
I’m surprised Jay didn’t get into trouble with this.
For 2008, i predict things will become nasty for him and DomainTools if no opt-out feature is added.
c0d3w12 says
As explained at: http://c0d3w12.blogspot.com/2007/12/gmail-hacking-demystified-by-mark.html
Dave Zan says
Mr. Airey subsequently got the domain name back after he signed some forms from Go Daddy and all that.
uzma says
the feature offered by domain tools isnt new. ppl have been able to do such searches for a long time. they just have made it available to everyone.
Andrew says
That’s correct, uzma. But to be able to do the search in the past, you had to contact the company personally and they pulled the data manually. It was mostly done by lawyers making cases for a UDRP. If a scammer did it, DomainTools would probably catch on to what they were up to.
pooja says
help
Domain Sales says
This is really scary stuff. I am glad in the end Godaddy returned the domain.