Its actually even easier than that. All you have to do is change the reply
to address in your e-mail program to pretend you are the admin contact for
the registration. As long as the e-mail address is still valid, or has a
valid nameserver record that can be verified by your outbound mail server,
and as long as you have the template and tracking numbers correct it can be
done.
I have had certain other domain hosts who shall remain nameless, here in
the Pacific Northwest do that to transfers away from us, and without the
customer knowing, and voila, I get the nasty phone call Monday morning
wondering why their domain/e-mail is down due to dns changes we had no idea
were taking place.
NSI make the INS and the IRS look like efficient, friendly, customer
service driven agencies.
Long Live Open SRS, and slow, painful, bankrupt death to NSI :)
Jason Tarrant
Domain Administrator
InternetCDS
1-800-943-4638 xtn. 2330
541-773-9600 xtn 2330
>www.internetcds.com
At 11:25 AM 6/2/00 -0600, you wrote:
>Even using the password facility at NSI is no guarantee.
>
>We recently ran into a situation where a domain had been registered by
>a previous employee. He used the password option instead of MAIL-TO,
>which was good. But he left the company, and nobody had the password.
>(yes, bad on our part) Contacting the individual was out, because he had
>left on somewhat less than ideal terms.
>
>Trying to resolve it through the infernal machine that is NSI was futile.
>So I stumbled onto what I consider a major security hole in the NSI
>system, although I was glad for it at the time. I sent a modify template
>to NSI from my email account. Because it wasn't coming from the admin's
>email account (our previous employee), I got a message back from NSI
>saying that because I wasn't the admin contact, they were going to email
>the admin contact for approval. Sure enough, the old employee's account
>received an email template from NSI, and all I had to do was submit that
>template from his account with a 'Y' in the proper field.
>
>No password necessary.
>
>Now granted, you need access to the admin contact's email account to
>do this, and my use of this hole was completely legitimate, but there
>are any number of ways to gain access to the admin contact's account.
>A lot of people are using free email accounts as their contact. Simply
>wait for the next Hotmail exploit to come out (which may take as long
>as a week), then hijack away.
>
>BTW, I've reported this hole to NSI, and received nothing back. They
>may know about it, they may not. This was several months ago, so I
>don't feel bad about publicizing the exploit.
>
>-k
>
>On Fri, Jun 02, 2000 at 10:52:01AM +0300, Doytchin Spiridonov wrote:
> > Huh the problem is not so much with NSI but with the owners.
> >
> > Personally I think the owner is responsible if he set up MAIL-FROM
> > authentication because he is lazy to read one or two pages with
> > explanations.
> >
> > And the problem is even bigger - personally I found absolutely
> > different way of vulnerability, and after I sent an e-mail
> > to the owner of a domain name that his name could be hijacked
> > very easy - I didn't get any response - so the owners also don't care.
> >
> > Well I hope others will not find the hole I am talking about,
> > just because the vulnerable service provider couldn't fix it.
> >
> > That's why I am laughing every time such thing happens and
> > how people then give interviews, etc. about how the things
> > are not secure - but the owners should care more for the
> > stuff they "own".
> >
> > (BTW I had ICQ UIN 53000000 and it was hijacked, too,
> > and it was my fault - and the fault is that I am not familiar
> > with the Windows OS. When a domain name is hijacked
> > in most cases it is the owner's fault, too. And UIN 5300000
> > is for sale now and I can't do anything because ICQ's
> > responsiveness is worst that that of NSI :)
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:37 EDT