Re: [DNS] Gaping security flaw that may have helped domain name scammers

Re: [DNS] Gaping security flaw that may have helped domain name scammers

From: Bennett Oprysa <bennett§enetica.com.au>
Date: Fri, 25 Jul 2003 18:18:48 +1000
Phil,

Thanks for pointing out the problem with our script, as you saw we had 
it fixed within 10 minutes. Your concern for the registrants whose 
expiry dates were available is somewhat less straight forward 
considering, you have known of the bug for at least 4 days, but did not 
inform us of it until today, AFTER trying to get certain media outlets 
to take up your amazing discovery.

Thanks anyway,

Bennett.


Phil Wright wrote:

> Enetica, one of Australia's largest auDA accredited Registrars, has
> exposed a gaping security flaw that may have helped domain name
> scammers.
> 
> Domain name scammers that have plagued the industry for years use domain
> name expiry dates to send fake invoices for domain renewals to unaware
> consumers in an attempt to solicit overly expensive domain name
> renewals.
> 
> By visiting  <https://www.enetica.com.au/register.cgi?action=renew>
> https://www.enetica.com.au/register.cgi?action=renew, you can enter any
> domain name administered by Enetica and have returned the expiry date.
> Domain name scammers, like Domain Names Australia would find it very
> easy to query 1,000's of domain names against this webpage and acquire
> domain expiry dates for their dubious business.
> 
> An example domain name you can query is "enetica.com.au" or
> "hiltonsydney.com.au"
> 
> Domain name owners whose names are administered by Enetica or their
> resellers should be doubly vigilant about such domain renewal scams.
> 
> An example of the results of such a query are:
> 
>  Error: Domain is not due for renewal.
> 
> Thank-you for choosing to renew/transfer your domain name(s). However,
> the domain 'hiltonsydney.com.au' does not expire until 18/06/2005.  As
> '.au' domains cannot be renewed prior to 90 days before their expiration
> date, we cannot process a renewal for this domain at this time. Please
> try again in 607 days (a renewal notice will be sent to the admin
> contact for this domain when it is due for renewal)
> 
> If you have other domains to renew/transfer, please press the back
> button on your browser and edit the details on that page. 
> 
> Take a look at the screenshots
> http://www.atlanticportfolio.com/enetica/enetica/
>  
> Instead of chasing tigers' tails and wasting industry development monies
> on trivial legal pursuits, how about auDA put money and effort into
> ensuring our privacy as consumers is protected and let the likes of the
> legislative bodies like ACCC handle the scammers after all they actually
> have a jurisdiction?
> 
> Cheers
> 
> Phil Wright
> 
> 
>  
> 
> 
Received on Fri Oct 03 2003 - 00:00:00 UTC

This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:07 UTC