Are expired domains a security loophole?

If you manage several domains you might think it’s OK to ignore renewal reminders for names you are no longer interested in. You may want to think again once you’ve heard about the experience of one unfortunate who was lucky that their encounter was with a cyber-angel rather than a geek from the dark side.

Self-described hacker and entrepreneur Ben Reyes had picked up a new domain for one of his projects, part of which meant tying it to Google Apps. When he tried to do this, his request was rejected as the domain had already been linked, but then not renewed. It’s at this point that a bit of tech-savvy exposed the security loophole.

Because of Ben’s knowledge and persistence he found out he could reclaim the domain and established himself as the new owner in the ‘eyes’ of Google for the sake of Apps. To his surprise, once he had done this he found he also had access to the previous owner’s email, calendar and contacts – more than enough to set about impersonating this person and getting access to more sensitive data. However, Ben’s a white hat ‘Social Engineer’ and was good enough to contact both Google to warn them and the prior registrant to let them set about changing some passwords.

As Google pointed out in their response, the easiest way to avoid the hassle is to make sure the domain does not expire:

"Many domain registrars offer auto-renewal features as part of their service,
and they send reminders before domains are due to expire"

You can easily check out the current auto-renewal status of all your Register365 domains and take the hassle out of renewals with our simple one tick process.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Leave a Reply

Your email address will not be published. Required fields are marked *