Web Hosting Talk : Web Hosting Main Forums : Domain Names : Warning: Domain stolen. Huge security flaw.

[Dave Zan]

Goodness, just read the posts, especially Domainitor's. It's what I've suspected for a
long time, but I never wanted to believe it until someone from a registrar had finally
confirming that.

Keep at it, stu. Getting your lawyer involved seems to be the only thing left to "force"
someone at enom to do something about this, and it's a shame it's lead to this.

[stub]

I also have a cvs file (emailed to me from eNom) for the day after the supposed transfer took place where the domain is still in my account and locked. I had a lame excuse that it takes some time to process these things into my account. Of course, I find that incredible. [vent] It's just an excuse to try and fob me off. I don't believe anybody responding to me has made any serious attempt to investigate the theft thoroughly. I seem to know more about it than they do. [/vent] Maybe Domainitor is onto something.

[CD Burnt]

how long was it in your account?


also, was it in an ETP accountt?

[stub]

A semi-rhethorical question. How did the thief, unlock the domain, transfer away, and then relock the domain?

[stub]

Approx 3 months. Yes it was in an ETP account.

[Bashar]

after reaching destination registrar he can lock the domain easily ?

[stub]

I was referring to relocking it in my eNom account.

[stub]

Ok. Sadly. It's time to go public.

My email to eNom's General Counsel...

Quote:

ATTN: Martin Garthwait

Dear sir,

I am sending you this email because you are the General Counsel for eNom and I cannot get any satisfaction from the other people I've been dealing with. Namely, your Transfer Manager - Joanne Fleming, your Transfer Specialist - Jason Cluphf, and legal@enom.com. Also any other person involved in support ticket cases #11111111/22222222/33333333, which detail the communications about this flaw and my grievance.

For additional background reading, you might also consider reading this thread http://www.webhostingtalk.com/showthread.php?t=540531 where some respectable ETP's have contributed to the thread and express their opinions. It might also "fill in any gaps" in my communications with eNom.

eNom has a hugely serious security flaw in their system. I have been the victim of the exploitation of this flaw and had a domain stolen from my account.

In a nutshell, the security flaw is that eNom transfer the previous domain owner's domain password in the domain push to the new owner. This gives the old owner access to the domain in the new owner's eNom account. There is no good reason why you should ever pass the old domain owner's domain password when a domain is pushed, and there is a general consensus amongst the ETP's I've discussed this with that the domain password should never be passed on but should be reset to a blank password. Thereby preventing the old owner an opportunity to steal the domain. Nobody at eNom consider this to be a problem. But my experience will demonstrate that it is a problem.

It's my opinion, that in trying to get satisfaction of this grievance has only led eNom down a road of obfuscation and deception with their dealings with me. To wit, Jason Cluphf's claim that I never relocked the domain after the domain was pushed to my eNom account. To wit, Jason Cluphf's claim that that my grievance should be with the third party who sold me the domain, which is in fact eNom's Club Drop, who in my opinion are negligent in pushing the domain into my eNom account. Compromising the domain from the very beginning.

Should you require any further information after reading the links I have provided and talking with your colleagues, I would be happy to provide any additional information you require.

The position as it stands now is that eNom are refusing to file a TDRP because the transfer took place under the recommended ICANN transfer guidelines. They do not acknowledge they have a security problem which can cause a fraudulent transfer to take place and still be within these recommended guidelines.

I'm asking you to personally intervene in this dispute and to arrange for the domain to be returned to my account.

Their response...

Quote:

According to our records, this domain name was registered by another
party through our Club Drop service and subsequently pushed to your eNom
account. eNom is not involved in any third party transactions which may
have taken place with this domain and thus cannot make any determination
in who the rightful owner should be.

Our system is designed to allow our resellers to easily manage
domains under their master reseller control without having to change the
domain password every time the domain is moved from one account to
another. If you purchased a domain name from an eNom reseller, it is
your responsibility as the buyer to make any necessary password changes
in order to protect your purchase.

As stated earlier, due to the transfer being compliant with ICANN
regulations and GoDaddy's unwillingness to participate in any
investigation, eNom's hands are tied and there are no grounds for filing
a TDRP.

In closing, eNom's role in this issue is very limited and we do not
have the necessary records to back up your claim. We are not competent
to make any determination in how or why the domain changed hands as this
was a third party transaction that did not involve us. What you consider
a "security flaw" is a design feature for the ease of use for our
reseller base and is not viewed as a security hole as it is pretty
standard that password changes are in order if/when domain name
registrations change hands.

My reply..

Quote:

ATTN: Martin Garthwait

Dear sir,

There have been no third party transactions on this domain. The account which purchased XXXXX.COM from Club Drop was by me, in my reseller account. Subsequently, when I acquired full ETP status it was transferred to my new ETP account. I repeat. There have been no third party transactions on this account (apart from the theft).

I consider Club Drop have been negligent in pushing the domain to my account with the knowledge that it is already compromised with a domain password known by a third party. I should be protected from such action from the outset and not have to retrospectively worry about changing passwords to domains. This domain was passed to me by Club Drop with a password created by the previous owner of the domain. I have no relationship or transaction with the previous owner. My only relationship is with Club Drop and eNom. I don't think it is encumbent upon me to expect that Club Drop pushed a domain into my account with a domain password which is known by third party.

You have a security flaw but won't admit it. Period. This domain has been stolen from my account due to this flaw, as has been explain to me by your Transfer Specialist. Passing third party passwords along with the domain push is insecure. Anyone idiot with half a brain can recognize that. Easy of use should not a consideration when security is at stake. Most of the ETP's I've discussed this with agree that the domain password should NOT be pushed but blanked. It's a security flaw.

I find it so incredulous that you don't have the records, that I consider it to be untrue. Even I have records showing the domain in my account the day after the transfer took place, and it was still locked. How does a domain which is locked get transfered away? I think this is more "snow-job", just like I've been experiencing with this dispute from the beginning. Nobody is willing to investigate this thoroughly or provide a decent explanation because they don't want to admit any fault. "I forgot" or "we don't have the records" doesn't cut it, at all. You have the records. You can see the transfer request was not from my ip address, for example. You have the records.

It's a fraudulent transaction. That by itself is against ICANN regulations. This is a joke. It must be April 1st. If you have an ombudsman at eNom, I wish for this complaint to be elevated to him. If you refuse to file a TDRP for the recovery of this domain then I wish to be refunded for my purchase/renewal of this domain and a sum to be determined for all the emotional stress this incompetence has caused me.

[CD Burnt]

I think I'll check my domains for retained passwords now.

[SoftWareRevue]

Quote:

Originally Posted by CD Burnt

I think I'll check my domains for retained passwords now.

I think the only way you can do that is to assign a password.

[CD Burnt]

I should have had my people take care of this.


SWR, my domains showed nothing in the password field when I checked. To test, I put in a password for one of them. When checked, it did show "something" in the password field.


I also went to namecheap and registerfly.

registerfly has a handy "domains with passwords" number to view (under "user accounts"). I did not test it.

I did not see where to check "access.enom" type passwords on namecheap. I did see where I could grant access to another user, or see what other users had access to the domain.




btw, nice postcount.

[franksredhot]

As a loyal enom customer I am franklly shocked at the way they blew you off. This is not your fault at all. How can they go about blaming a 3rd party when it was them. Have you filed an inquiry with icann? I think enom is still required to initiate a transfer dispute.

stu, best of luck in trying to get the name back

[IrdHost]

Stu, i repeat again, move your domains asap from enom. I will do the same ...

[stub]

It gets even better. Their reply to my reply. This is from legal@enom.com. You'd think someone would do some research (at least once) before they come up with this stuff...

Quote:

Who is Jack Xxxxxxx? The account which picked the domain up through
Club Drop lists Mr. Xxxxxxxx as the account holder. The domain was pushed
from Mr. Xxxxxxxx's ETP account to your 'xxxx' account on 6/25/2006. This
push suggests a third party sell for which we have no records, as stated
in the previous email.

my reply...

Quote:

This is just so comical, I just don't believe you are so incompetent. I subsequently transferred my reseller account to Jack after I got my ETP account because it was surplus to requirements.

Oh.. by the way. Jack's account is a reseller sub-account, not an ETP. I know. I used to own it.

[stub]

I contacted the receiving registrar, GoDaddy, giving them my communications with eNom. You know what they said....

Quote:

I am sorry for your confusion and frustration with this issue. Unfortunately, as the gaining registrar, we must rely on the Whois at the time of transfer to determine if the transfer was invalid. For example, when the domain name transferred over to GoDaddy.com the registrant at the time of transfer was "Xxx Xx." Therefore, if this particular registrant contends the transfer we would be able to investigate the issue and determine if we were able to reinstate the domain name to the registrant at the time of transfer.

Please also note that the previous registrar could file a TDRP without GoDaddy.com's cooperation. Additionally, we are more than happy to provide them with information at the time of transfer, in fact, per ICANN's Transfer Policy, we are required to provide them this information. I will contact them to find out what information they are still looking for in order to proceed. So, I am not certain why they stating that we are "unwilling to participate in any investigation" is preventing them from moving forward.

In this case, it does not appear that this is a transfer dispute at all, but rather, an issue that you claimed occurred prior to the transfer. Therefore, as you seem to have been doing, you would need to contact the previous registrar to find out if any error might happened prior to the transfer.

If you are unable to get a satisfactory response from the previous registrar or current registrant, as noted by our Domain Disputes staff, you may wish to proceed through a court or arbitration forum. That is the only other way we are authorized, per ICANN, to make changes to a domain name. Please be assured that if we receive notice of a pending legal dispute we will lock the name so that it cannot be transferred or otherwise modified. Likewise, when we receive a Decision we will update the name accordingly.

Please also note that the current registrant is using our privacy service, Domains By Proxy, www.domainsbyproxy.com. Per their Legal Complaints Policy:


Legal Complaints: The majority of Domains by Proxy customers act within the letter of the law. However, on occasion our service is used in conjunction with illegal or immoral behavior. If you believe a domain registration we hold violates the law or someone’s legal rights or is engaged in morally objectionable activities, we want to fully investigate the matter and act where we can. If you identify a situation you believe warrants our attention, please contact us via certified or courier mail:

So it's BS when eNom tell me that GoDaddy refuse to accept the TDRP. Oh.. btw..I'm not confused.