Forum

http://www.berlettefx.com/2007/01/5/exploiting-dynadot/

As far as I can tell, this has been fixed... Is that correct? When I tried entering a domain ID for a domain that wasn't in my account, I was redirected back to my list of domains.

First thing is - are you a fool or what? Why would you make a thing like this public - even though you are and the author are quite wrong.

You can change the domain id number to another one YOU have access to BUT NOT to someone elses.

You probably think we all got delivered by the stork as well

Hi Raph. The fault never really existed


[This post has been edited by e_h_rochedale south_au on Jan 14, 2007 6:39pm.]

That's what I thought - It would be a pretty basic mistake to make to allow everyone access to each other's domains...

This supposed exploit has been circulating around the web for a few weeks now. We were not able to reproduce it. We have received no complaints of domains being stolen this entire time.

I saw the original message about 4 weeks ago. If you change the ID number in the URL to one of your other ID numbers it will show that domain.

BUT this is the thing it will only do it with your own domains not another accounts. That's how the original fool found it by changing the ID number in the URL to one of his other domain ID's. Of course being such a bright spark (yeah right) he did not think that this may not work with someone else's domain ID's.  Having 3 accounts I checked the cross account reading and it just does not work.

For the record it's not just Dynadot, many other registrar sites are set up the same way. There is nothing wrong with it as long as adequate filters (ie. restrict to domains you own) are in place.