Even using the password facility at NSI is no guarantee.
We recently ran into a situation where a domain had been registered by
a previous employee. He used the password option instead of MAIL-TO,
which was good. But he left the company, and nobody had the password.
(yes, bad on our part) Contacting the individual was out, because he had
left on somewhat less than ideal terms.
Trying to resolve it through the infernal machine that is NSI was futile.
So I stumbled onto what I consider a major security hole in the NSI
system, although I was glad for it at the time. I sent a modify template
to NSI from my email account. Because it wasn't coming from the admin's
email account (our previous employee), I got a message back from NSI
saying that because I wasn't the admin contact, they were going to email
the admin contact for approval. Sure enough, the old employee's account
received an email template from NSI, and all I had to do was submit that
template from his account with a 'Y' in the proper field.
No password necessary.
Now granted, you need access to the admin contact's email account to
do this, and my use of this hole was completely legitimate, but there
are any number of ways to gain access to the admin contact's account.
A lot of people are using free email accounts as their contact. Simply
wait for the next Hotmail exploit to come out (which may take as long
as a week), then hijack away.
BTW, I've reported this hole to NSI, and received nothing back. They
may know about it, they may not. This was several months ago, so I
don't feel bad about publicizing the exploit.
-k
On Fri, Jun 02, 2000 at 10:52:01AM +0300, Doytchin Spiridonov wrote:
> Huh the problem is not so much with NSI but with the owners.
>
> Personally I think the owner is responsible if he set up MAIL-FROM
> authentication because he is lazy to read one or two pages with
> explanations.
>
> And the problem is even bigger - personally I found absolutely
> different way of vulnerability, and after I sent an e-mail
> to the owner of a domain name that his name could be hijacked
> very easy - I didn't get any response - so the owners also don't care.
>
> Well I hope others will not find the hole I am talking about,
> just because the vulnerable service provider couldn't fix it.
>
> That's why I am laughing every time such thing happens and
> how people then give interviews, etc. about how the things
> are not secure - but the owners should care more for the
> stuff they "own".
>
> (BTW I had ICQ UIN 53000000 and it was hijacked, too,
> and it was my fault - and the fault is that I am not familiar
> with the Windows OS. When a domain name is hijacked
> in most cases it is the owner's fault, too. And UIN 5300000
> is for sale now and I can't do anything because ICQ's
> responsiveness is worst that that of NSI :)
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:37 EDT