Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

An expired domain name equals identity theft via email

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 15 May 2003 15:31:13 -0400
The artcile article describes an interesting hack involving intercepting
email messages being sent to expired domain names.  My take is that this
issue is more of a glitch in the domain registration system and not so
much an eBay security issue.  For example, MSN, Amazon, and Yahoo are
other places the bad guys could use email addresses from an expired
domain to gain access to Web site accounts.
 
Richard M. Smith
http://www.ComputerBytesMan.com

=======================================
 
http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01

Auctionbytes-NewsFlash, Number 538 - May 15, 2003 - ISSN 1539-5065 
Expired Domains Expose EBay Security Glitch
By David Steiner
May 15, 2003  

....

The second eBay log-in vulnerability was discovered this week by
AuctionBytes and confirmed by two Internet security experts.

AuctionBytes purchased a domain name that had recently become available
after its original owner let the registration expire. After activating
the domain and setting up a mailbox, AuctionBytes began to receive
hundreds of Spam messages addressed to former employees of the site -
over 20 different email addresses in all. 

Copying and pasting some of these email addresses into eBay's "Search by
Seller" search box, allowed AuctionBytes to pull up IDs of people who
had previously worked for the Site originally owning the domain name.
These employees had never bothered to change their contact email address
on eBay when the company dissolved. 

Although AuctionBytes did not attempt to hack into any of the idle
accounts, it was evident that it would be easy to gain access to the
account by using the "send me a new password" feature, since we now
owned the domain where all emails would be sent. Once a new password is
sent to the "expired" email address, the recipient is verified and able
to access all areas of the account, in effect, "hijacking" the account. 

.....

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: