Forums
New posts
New posts
Search forums
Market
Domains/Websites Wanted
.com Domain Market
gTLD Domain Market
ccTLD Domain Market
Web3 Domain Market
Third-Level Domain Market
Adult Domain Market
What's New
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Account Upgrade
Premium Members Directory
Log in
Register
What's New
calendar
Search
Search
Search titles only
By:
New posts
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Forums
Domain Discussion
Domain Industry Companies
Moniker Security Hole
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="dodo1" data-source="post: 2233492" data-attributes="member: 4305"><p>I think I discovered a serious security hole at Moniker. At the end of last week I purchased a domain from a DNF user, which was successfully pushed into my Moniker account upon payment. I then tried to lock the domain and update the whois information, but Moniker's system would not allow me to do so because apparently the domain status was "in transfer". However, I had not initiated a transfer away from Moniker myself!</p><p></p><p>After the week-end the domain was gone from my account. I found out that it had been transferred out to another registrar. Fortunately for me, it was the seller of the domain who must have initiated the transfer to the other registrar a few days before the sale. He must have forgotten about it. I contacted him and he pushed the domain into my account at the other registrar. All fine. Great seller. The problem is that something like this would never have happened if Moniker still cared as much about the security of their customers' domains as they used to before things started to go downhill around 2010.</p><p></p><p>Correct me if I'm wrong, but the above example looks very much like a step-for-step manual on how to steal a domain from a Moniker account after a domain push:</p><p></p><p>1) Find a buyer for your domain, which is currently at Moniker.</p><p>2) Unlock the domain and initiate a transfer out to another registrar.</p><p>3) After payment has been received, push the domain into the buyer's Moniker account.</p><p>4) The buyer will not be able to stop the transfer because he cannot activate the domain lock.</p><p>5) Wait for the transfer to complete. You then have both the money and your domain.</p><p></p><p>To avoid something like this happening again, Moniker must not allow a domain push to another account as long as there is an active transfer request for that domain name, or they must not allow a domain to be transferred away after it was pushed into another customer's account when that transfer has been initiated by the previous owner.</p><p></p><p>Moniker, I still believe you can do better than this! Please remove this security vulnerability. Thanks.</p></blockquote><p></p>
[QUOTE="dodo1, post: 2233492, member: 4305"] I think I discovered a serious security hole at Moniker. At the end of last week I purchased a domain from a DNF user, which was successfully pushed into my Moniker account upon payment. I then tried to lock the domain and update the whois information, but Moniker's system would not allow me to do so because apparently the domain status was "in transfer". However, I had not initiated a transfer away from Moniker myself! After the week-end the domain was gone from my account. I found out that it had been transferred out to another registrar. Fortunately for me, it was the seller of the domain who must have initiated the transfer to the other registrar a few days before the sale. He must have forgotten about it. I contacted him and he pushed the domain into my account at the other registrar. All fine. Great seller. The problem is that something like this would never have happened if Moniker still cared as much about the security of their customers' domains as they used to before things started to go downhill around 2010. Correct me if I'm wrong, but the above example looks very much like a step-for-step manual on how to steal a domain from a Moniker account after a domain push: 1) Find a buyer for your domain, which is currently at Moniker. 2) Unlock the domain and initiate a transfer out to another registrar. 3) After payment has been received, push the domain into the buyer's Moniker account. 4) The buyer will not be able to stop the transfer because he cannot activate the domain lock. 5) Wait for the transfer to complete. You then have both the money and your domain. To avoid something like this happening again, Moniker must not allow a domain push to another account as long as there is an active transfer request for that domain name, or they must not allow a domain to be transferred away after it was pushed into another customer's account when that transfer has been initiated by the previous owner. Moniker, I still believe you can do better than this! Please remove this security vulnerability. Thanks. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Domain Discussion
Domain Industry Companies
Moniker Security Hole
Top
Bottom