Warning: Domain stolen. Huge security flaw. - Page 2 - DNForum - Domain Sales, Domain Forum, Domain Appraisals, Domain Registrars

**stu** · 08-24-2006, 01:15 PM

eNom have verbally agreed to refund my Club Drop purchase price and eNom renewal for this domain. They do not admit to any security flaw but make some vague reference to investingating the issue. Now, I ask myself. Why would they make such an offer if they're not wrong? You make your own minds up.

**carlton** · 08-24-2006, 06:37 PM

Quote:

Originally Posted by stu

eNom have verbally agreed to refund my Club Drop purchase price and eNom renewal for this domain. They do not admit to any security flaw but make some vague reference to investingating the issue. Now, I ask myself. Why would they make such an offer if they're not wrong? You make your own minds up.

Will you post the domain name now or name of the person who stole it? Full disclosure seems like a good idea given that it's played out with enom customer service.

Mr. Deleted · 08-25-2006, 12:14 AM

http://www.7j.cc/files/enomaccess.JPG here is where the problem is...

**loscocco** · 08-25-2006, 01:00 AM

kinda off topic but has anyone ever had problems with name theft at Godaddy? Sometiems i wory about them.

Mr. Deleted · 08-25-2006, 05:47 AM

Quote:

Originally Posted by Preoccupy

Thank you for the great informaiton, sir!
Have a great weekend !

np. What I suggest is for all names you buy, that you change the password there to something you may remember. Wierd that they have this set up like that for clubdrop names though.

Mr. Deleted · 08-25-2006, 05:48 AM

Quote:

Originally Posted by loscocco

kinda off topic but has anyone ever had problems with name theft at Godaddy? Sometiems i wory about them.

not personaly, but search dnf for MALL.com and see for yourself if you want to keep good names there.

**stu** · 08-25-2006, 11:51 PM

Well it's not just Club Drop, but any push from eNom account to eNom account will do it. In their communications with me they called it a "feature" that they didn't change the password on a domain push. Eh? Then when I wasn't getting anywhere at all, I asked for an explanation how this domain was transferred away, and they blatently abmonished me for not changing the domain password after the push to my account. Eh, again? It's the other way around, Duh! Club Drop are negligent in passing me a domain with a domain password which was known by some third party. Gulp! And eNom are still refusing to TDRP the domain even tho I'm the rightful legal owner and it was stolen due to their negligence. If I'd bought it from a third party, then I could understand their position because I was dealing directly with the third party. However, I had nothing to do with the third party in this case. I bought it directly from eNom's Club Drop. My loss due to their negligence. It stinks.

**stu** · 08-26-2006, 12:03 AM

They also still haven't explained how the domain, which was locked, got transferred away. I have proof that the domain was still in my account, and locked, 1 day after it was transferred away. This means to me that it was still locked at the time of transfer. Food for thought.

Mr. Deleted · 08-26-2006, 04:45 AM

Quote:

Originally Posted by stu

Well it's not just Club Drop, but any push from eNom account to eNom account will do it. In their communications with me they called it a "feature" that they didn't change the password on a domain push. Eh? Then when I wasn't getting anywhere at all, I asked for an explanation how this domain was transferred away, and they blatently abmonished me for not changing the domain password after the push to my account. Eh, again? It's the other way around, Duh! Club Drop are negligent in passing me a domain with a domain password which was known by some third party. Gulp! And eNom are still refusing to TDRP the domain even tho I'm the rightful legal owner and it was stolen due to their negligence. If I'd bought it from a third party, then I could understand their position because I was dealing directly with the third party. However, I had nothing to do with the third party in this case. I bought it directly from eNom's Club Drop. My loss due to their negligence. It stinks.

Reason I was saying it is strange that a club drop name still had that pass is that a name that drops, should have been DROPPED, and all old info should have been wiped. So now, if we want to keep a name, just let it drop, make sure we have a pass word on the name, and when it does, and they will have it in the new reg when they sell it at Clubdrop? Then we just log in and update the info and pull it away... free renewal, heh!

I myself keep a password in most of mine so that I can log into it if needed, and it helped me recover a name once that a guy was holding for me and not responding to my messages. It was my name, but was in his account. I kept asking for a push, but he never repleyed, so I logged in, and put my contact in the whois and ordered a transfer. He was supprised, but did not notice it till few weeks later when he came on messenger, and I told him and explained what had happened. Apparently he was having problems with his family members (like someone ill) and was not online. But he was cool with it, and we still in good terms, but that can be a good thing to have...

Just not in a clubdrop name or a name that was sold, can you imagine buying a xx,xxx name and after buying it, the seller pushed it, and you made a popular site, and then a year later, your top name was in his account again? So if you have a drop, change the pass. I would think they would do it, but apparently not.

**WeBuyThe.Com** · 08-26-2006, 06:14 AM

There should be a way to bulk edit names to turn the feature OFF

**namestrands** · 08-26-2006, 07:05 AM

Bad Idea Bulk editing all your domain names with the same password, for example if you sold one of those domains and pushed it into the other persons account the password would remain.

I know a way that I could get access to that password, which would then give me access to everyone of your domains if I knew what they were.

Obviously I am not going to post the bug here, but rest assured I will be making Enom aware of this flaw.

I have tested in on 3 of our accounts and I have to say the flaw is real, and I managed to recover the password each time.

I really would stress all users to remove the domain access password from their domains.. DO NOT attempt to global update your domains with the same password.

Mr. Deleted · 08-26-2006, 07:37 PM

Quote:

Originally Posted by namestrands

Bad Idea Bulk editing all your domain names with the same password, for example if you sold one of those domains and pushed it into the other persons account the password would remain.

I know a way that I could get access to that password, which would then give me access to everyone of your domains if I knew what they were.

Obviously I am not going to post the bug here, but rest assured I will be making Enom aware of this flaw.

I have tested in on 3 of our accounts and I have to say the flaw is real, and I managed to recover the password each time.

I really would stress all users to remove the domain access password from their domains.. DO NOT attempt to global update your domains with the same password.

That sounds scary too... How do you remove passes though?

**namestrands** · 08-26-2006, 07:42 PM

Quote:

Originally Posted by stu

They also still haven't explained how the domain, which was locked, got transferred away. I have proof that the domain was still in my account, and locked, 1 day after it was transferred away. This means to me that it was still locked at the time of transfer. Food for thought.

Even if a domain is locked it can still be pushed into another enom account, is the domain still regged at ENom?

I suspect what has happened is the previous owner has pushed the domain back into their own account, it may not be a situation of theft per se. More likely ignorance by the previous owner who let it expire.

I am sure enom can follow the paper trail (be it virtual). If you get no joy send me a PM and I will give you the details of a key contact at Enom whom I am sure will assist.

The thing is to remain cool, calm and collected. Ignore the "Random" comments from preoccupy, as they serve no purpose whatsoever, this guys comments get more bizarre each time he posts.

I have filed a complaint with my Account manager at Enom regarding the password being pushed during transfer, it clearly is not a feature but a flaw.

If the person taking the domain has since transferred to another registrar then your only course of action is UDRP, however a simple C&D letter may scare them enough to transfer the domain back.

Best of luck and let us know how you get on.. this would make an interesting case study.

**namestrands** · 08-26-2006, 07:44 PM

Quote:

Originally Posted by Mr. Deleted

That sounds scary too... How do you remove passes though?

You have to request, as you can not do in manually, another "Feature".

Have raised this issue also.

May I request that all Enom Resellers and portfolio owners raise a ticket or contact your account manater to this effect, this is a serious flaw and should be addressed. The more that request the more likely Enom will take notice.

Mr. Deleted · 08-26-2006, 07:55 PM

Quote:

Originally Posted by namestrands

Even if a domain is locked it can still be pushed into another enom account, is the domain still regged at ENom?

I suspect what has happened is the previous owner has pushed the domain back into their own account, it may not be a situation of theft per se. More likely ignorance by the previous owner who let it expire.

I am sure enom can follow the paper trail (be it virtual). If you get no joy send me a PM and I will give you the details of a key contact at Enom whom I am sure will assist.

The thing is to remain cool, calm and collected. Ignore the "Random" comments from preoccupy, as they serve no purpose whatsoever, this guys comments get more bizarre each time he posts.

I have filed a complaint with my Account manager at Enom regarding the password being pushed during transfer, it clearly is not a feature but a flaw.

If the person taking the domain has since transferred to another registrar then your only course of action is UDRP, however a simple C&D letter may scare them enough to transfer the domain back.

Best of luck and let us know how you get on.. this would make an interesting case study.

But access.enom.com does not allow you to PUSH a name, it just allows you to access it to update the whois and name servers.

Edit: I found what you are referring to as to how to get that password... that is serious.

**namestrands** · 08-26-2006, 08:11 PM

Their is a flaw that allows push, but will not post until enom have corrected the issue.

**Josh** · 09-26-2006, 02:31 PM

This is one of several reasons I moved all my domains to Moniker recently. I was a long time Enom customer but had enough.

At Moniker, it requires corporate officer approval for any domain to be transferred outside the registrar. Monte contacted me himself when I was transferring a domain away, to let me know what was going on, if I knew about it, etc.

Try calling Enom sometimes. Its russian roulete to get anyone to answer at all. Yet at Moniker, I have an account manager who is on reachable by AIM, email, or phone--and if he's not, someone at Support is.

Another "feature" Enom had, and may still have, is if a domain accidentally runs a couple of days past renewal. Enom unlocks the domain!? EVEN after you renew the domain, enom doesn't go back and relock the domain. The ENOM system would report the domain is locked, but the central registry would say its unlocked. And you think, oh do a global edit? Nope, because the enom system thought the domain was locked, it would skip the domain, still leaving it unlocked. I reported this numerous times--never so much as a response. They may have finally fixed this, I don't know.