Domain flipping by Millionaire Society

Want to earn a regular income from domain flipping? You should watch this VIDEO!

Godaddy Security Hole – Are Your Domains Safe

Posted on February 8th, 2010 by admin in Domain News | 7 Comments »

I don’t know whether you remember this but Sarah Palin – the Republicans’ vice-presidential candidate for the last US election – was in the news (amongst other things) prior to that election as a result of her email account getting hacked.

Basically, some kid exploited Yahoo’s password reminder feature whereby he used publicly available information to answer Ms Palin’s security questions (she erred by putting in silly stuff as her 2 security questions).

There are numerous other cases of people using social engineering to “hack” their way to information and resources they otherwise do not have access to.

Some resources are more valuable then others – while you may attach emotional value to private emails you store in your inbox, you can directly attach monetary value to assets like domain names.

This is why I freaked out over a discovery I made today while helping out a friend who could not remember their Godaddy account password.

We followed the link to retrieve account password and were instructed to “Follow the instructions to the right” or choose from 3 possible options:
1. Retrieve Customer Number
2. Retrieve Password Hint
3. Reset Password

We clicked on Retrieved Password Hint and were shocked to find that all that was needed to take a look at my friend’s password hint was their Godaddy account number or username.

Why is this shocking?

Godaddy usernames / account numbers are not private. We share them with strangers all the time when we transfer/sell/buy domain names. Anyone can take a look at your password hint by simply typing in your Godaddy username or account number.

As we were recently reminded by Twitter, people tend to fall into bad habits when it comes to passwords. What are the odds that a lot of people reveal their password or at least provide enough rope in their Godaddy password hints which are so readily available?

I have written to Godaddy with regards to this issue but they do not feel like there was anything to be concerned about as can be seen from the response below:

Dear John,
Upon reviewing this issue it does not appear as though further assistance is required. Please let us know if you have any further questions, comments, or concerns by replying to this email. Our service departments and telephone lines are open 24 hours a day, 365 days a year to accommodate your needs anytime.

I would love to hear your thoughts on this issue.

Want To Learn More About Flipping Domains For Profit: Read My Post On Domain Flipping!

7 Responses to Godaddy Security Hole – Are Your Domains Safe

  1. Kate says:
    February 9, 2010 at 6:43 am

    Hmmm… You still need:
    Customer Number + Email Address on Account

    Not as simple.
    I assume the new password will be sent to the E-mail address on record, so you need to have access to the E-mail as well.

  2. admin says:
    February 9, 2010 at 7:03 am

    I don’t think you understood the problem Kate.

    If I transfer a domain name to you, I will have your customer number and email address. I will also have your full name which means I will have enough information to look for you on Facebook or Linked In in order to find more information about you.

    The Godaddy password hint system only asks for your customer number before it gives out the password hint on screen, right there…

    To me at least, this is a concern.

  3. Masrur says:
    February 9, 2010 at 7:14 am

    I already get troubled with Godaddy because of how easy to reveal my account to the hackers.

    But, thanks to God that the Godaddy help me to taken back all the domains that the thief take..

    Now, I’m thinking to move or stay with Godaddy…

  4. Kate says:
    February 9, 2010 at 7:21 am

    So I tried to reset my password and it says:
    “An email with the requested information has been sent!”

    I indeed received an E-mail with a link to follow in order to reset the password. Until I do that the current password remains unchanged.

    No password was revealed, at least not for me.

  5. admin says:
    February 9, 2010 at 8:55 am

    Hi Kate,

    The problem is not with the Reset Password feature. It is with the Password Hint feature.

    John

  6. Jeremy says:
    February 9, 2010 at 1:14 pm

    Hi John,

    It also requires that you know the exact physical address associated with the account. This does not have to be the same address on your WHOIS records. I use a PO Box on my WHOIS contact info and a physical address for the actual billing. While a determined party could find that info, I would still receive the transfer request notice and be able to deny it. If they changed the contact info I would be notified of that as well and be able to take action.

    Still, I do agree, it shouldn’t be that easy. GD sends so many emails it’s easy to miss one if you’re away from email for a few days.

  7. admin says:
    February 9, 2010 at 5:23 pm

    Jeremy, you are right on both counts.

    John

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Explore other similar posts that might interest you

Click on a post title to read the post!
Our sponsors
Newsletter
We recommend
Our friends
  • The business of monetizing and selling domain names.
    Domaining.com
  • Expert domain name appraisal, website value.
    Domain Appraisal
  • Hosting observer reviews and lists the best affordable hosting plans. Get a free domain name with your hosting package!
    Free Domain
Domain flipping by Millionaire Society