DynaDot flaw allows domain hijacking

Search
Archives
Categories
- News (103)
- Tips (50)
- Tools (210)
  - Anti-Spam (19)
  - Anti-Spyware (22)
  - Anti-Virus (24)
  - Content Filtering (20)
  - Disassembler (4)
  - Encryption (33)
  - Firewall (27)
  - Forensics (12)
  - Freeware (149)
  - Hardware (22)
  - IDS/IPS (43)
  - Linux/Unix (125)
  - Live CD (8)
  - Network (157)
  - OSX (80)
  - Packet Sniffer (32)
  - Password Cracker (8)
  - Patch Management (9)
  - Port Scanner (24)
  - Proxy (14)
  - VPN (16)
  - vulnerability Scanner (54)
  - Windows (123)
  - Wireless (17)
Books

Security Books

A 13 year old geek, Nick Berlette has apparently found a serious security glitch in domain management system of DynaDot.com (registrar of about 55,000 domains), which allows anyone with an account in DynaDot.com to get any domain they want, with a few clicks. This is how the it works:

To begin, login to your DynaDot account. Browse to the Edit Domains Page. Proceed by clicking on any one of your own domain names. Then look up at the current Address. You will see “?domain_id=#####”, the # symbols being numbers, of course. That is your domain’s unique ID (see where this is going?).

Right about now you should be getting the gist of how this works. By editing that number, you can get access to any domain name. This means contact information, name servers, pushing capabilities, locking, everything is in your control. Change around that number, click Enter, and watch the magic!

Replying to one of the queries about why he didn’t notify DynaDot before blogging about it, Nick says:

I have notified them, and they have yet to fix the “glitch”. As many domainers like myself know, DynaDot is very lazy, so I doubt they will ever fix the glitch, let along reply to my report.