Full Disclosure mailing list archives
An expired domain name equals identity theft via email
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 15 May 2003 15:31:13 -0400
The artcile article describes an interesting hack involving intercepting email messages being sent to expired domain names. My take is that this issue is more of a glitch in the domain registration system and not so much an eBay security issue. For example, MSN, Amazon, and Yahoo are other places the bad guys could use email addresses from an expired domain to gain access to Web site accounts. Richard M. Smith http://www.ComputerBytesMan.com ======================================= http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01 Auctionbytes-NewsFlash, Number 538 - May 15, 2003 - ISSN 1539-5065 Expired Domains Expose EBay Security Glitch By David Steiner May 15, 2003 .... The second eBay log-in vulnerability was discovered this week by AuctionBytes and confirmed by two Internet security experts. AuctionBytes purchased a domain name that had recently become available after its original owner let the registration expire. After activating the domain and setting up a mailbox, AuctionBytes began to receive hundreds of Spam messages addressed to former employees of the site - over 20 different email addresses in all. Copying and pasting some of these email addresses into eBay's "Search by Seller" search box, allowed AuctionBytes to pull up IDs of people who had previously worked for the Site originally owning the domain name. These employees had never bothered to change their contact email address on eBay when the company dissolved. Although AuctionBytes did not attempt to hack into any of the idle accounts, it was evident that it would be easy to gain access to the account by using the "send me a new password" feature, since we now owned the domain where all emails would be sent. Once a new password is sent to the "expired" email address, the recipient is verified and able to access all areas of the account, in effect, "hijacking" the account. ..... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- An expired domain name equals identity theft via email Richard M. Smith (May 15)