« Musings on MoPaQ
Dodd drops out, I go directory digging »

Pwned by my own petard

Doug Mehus:
You’re always pointing out security holes for various other companies and their websites - and quite rightly so. Nonetheless, in a completely humourous fashion with tongue firmly in cheek, I was able to register the Gmail account “rgovostesDELETE@gmail.com”. See any problem with this?  :-P

It took me about a tenth of a second to switch over to the Terminal and watch the scrolling text in horror:

Domain ID:D104660104-LROR
Domain Name:RGOV.ORG
Created On:22-Jul-2004 02:07:19 UTC
Last Updated On:25-May-2007 00:35:34 UTC
Expiration Date:22-Jul-2008 02:07:19 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-07421604
Registrant Name:Ryan Govostes
...
Registrant Email:rgovostesDELETE@gmail.com

D’oh. The e-mail address listed in your WHOIS record has pretty much complete authority over the domain; if you put up a fake e-mail address, an attacker can often get access to that address and use it to convince your registrar into transferring the domain.

Doug is a good sport and handed over the Google account, but I should’ve known better. There’s no excuse, especially when Gmail supports plus addressing.

A brief announcement

I won’t be making posts here for a few weeks as I try to put some content on my Alacatia Labs blog. I’ll archive the good ones here after a month or so.

This entry was posted Thursday, January 3rd, 2008 at 4:05 pm and is filed under Security. You can leave a response, or trackback from your own site.

One Response to “Pwned by my own petard”

  1. Doug Mehus Says:
    January 11th, 2008 at 5:20 pm

    (off-topic warning)

    hey Ryan,

    I have Windows Vista and Internet Explorer 7.0 installed on this computer (as opposed to Windows XP and Internet Explorer 6.0 on the other computer) and your “Ads by Google” are still dropped way down on the page, instead of tucked neatly underneath “Search” in the right-hand column. (The monitor is a 19 or 20 inch widescreen and there’s tonnes of whitespace on either side of your blog so it’s not an “overcrowding” problem with screen real estate.) There’s got to be a quick and easy CSS fix you add to prevent this from happening.

    It seems to be limited to Internet Explorer, but at least now we know it’s much more widespread and not just limited to version 6.0 or earlier.

    Cheers, Doug

Leave a Reply