Feeds

300 UK domains pilfered, MASSIVE security lapse blamed

123-Reg, Nominet investigate website control-panel bug

Boost IT visibility and business value

Exclusive What appears to be a glaringly obvious security hole has been blamed for the snatching of 300 domains hosted by one web-hosting firm last year, The Reg has discovered.

A source told El Reg that anyone with a hosting package from 123-Reg, and hence an account control panel, simply had to change the final section of the URL manually (to, for example, /someoneelseswebsite.co.uk) to be able to gain access to another site's emails, name servers and billing.

With access to the admin panel, would-be domain thieves just had to change the contact details for UK registry Nominet to a new email address and then do a failed password request to have a new password sent to the new email address, locking the original owner out, our source claimed.

The .uk registry told The Reg it had "worked with registrars to help them tighten security and prevent a repeat of this incident". Both 123-Reg and Nominet informed us that there was "a query from a registrant" last year that led to Nominet "discovering some irregularities in registration and renewal patterns".

"As part of Nominet's standard operating procedures they locked the affected domains from any transfer or adjustment whilst they investigated further, and with our full support," 123-Reg said in an emailed statement.

Nominet said that its investigations into the issue revealed that "a total of 300 domains had been transferred over to a new registrant in the post-expiry period without the permission of the original registrant".

"We [have] terminated our registrar agreement with one registrar," the dot-UK registry said.

Neither firm would comment on how the the breach had come about or whether the matter had been referred to Britain's Information Commissioner.

Nominet said it couldn't elaborate any further because "we understand there is an ongoing police investigation into this issue". ®

Updated to add

Nominet has been in touch after publication to say that 123-Reg was not the only domain company involved: "Four registrars had domain names that were affected," a spokesman told us.

The essential guide to IT transformation

More from The Register

next story
Déjà vu: Virgin Media jacks up broadband prices
Screw copper phone lines, we're UNIQUE, bleats telco
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
What's the nature of your emergency, Vodafone?
Oh, you've dialled the wrong number for ad fibs, rules ASA
EE network whacked by 'PDP authentication failure' blunder
Carrier is 'aware' of cockup, working on a fix NOW
ROAD TRIP! An FCC road trip – Leahy demands net neutrality debate across US
You crashed watchdog's site, now time to crash its ears
Google's so smart it's discovered SHARKS HAVE TEETH
Congratulations, world media, for rediscovering submarine cable armour
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?