- Joined
- Jun 18, 2003
- Messages
- 1,422
- Reaction score
- 8
I think I discovered a serious security hole at Moniker. At the end of last week I purchased a domain from a DNF user, which was successfully pushed into my Moniker account upon payment. I then tried to lock the domain and update the whois information, but Moniker's system would not allow me to do so because apparently the domain status was "in transfer". However, I had not initiated a transfer away from Moniker myself!
After the week-end the domain was gone from my account. I found out that it had been transferred out to another registrar. Fortunately for me, it was the seller of the domain who must have initiated the transfer to the other registrar a few days before the sale. He must have forgotten about it. I contacted him and he pushed the domain into my account at the other registrar. All fine. Great seller. The problem is that something like this would never have happened if Moniker still cared as much about the security of their customers' domains as they used to before things started to go downhill around 2010.
Correct me if I'm wrong, but the above example looks very much like a step-for-step manual on how to steal a domain from a Moniker account after a domain push:
1) Find a buyer for your domain, which is currently at Moniker.
2) Unlock the domain and initiate a transfer out to another registrar.
3) After payment has been received, push the domain into the buyer's Moniker account.
4) The buyer will not be able to stop the transfer because he cannot activate the domain lock.
5) Wait for the transfer to complete. You then have both the money and your domain.
To avoid something like this happening again, Moniker must not allow a domain push to another account as long as there is an active transfer request for that domain name, or they must not allow a domain to be transferred away after it was pushed into another customer's account when that transfer has been initiated by the previous owner.
Moniker, I still believe you can do better than this! Please remove this security vulnerability. Thanks.
After the week-end the domain was gone from my account. I found out that it had been transferred out to another registrar. Fortunately for me, it was the seller of the domain who must have initiated the transfer to the other registrar a few days before the sale. He must have forgotten about it. I contacted him and he pushed the domain into my account at the other registrar. All fine. Great seller. The problem is that something like this would never have happened if Moniker still cared as much about the security of their customers' domains as they used to before things started to go downhill around 2010.
Correct me if I'm wrong, but the above example looks very much like a step-for-step manual on how to steal a domain from a Moniker account after a domain push:
1) Find a buyer for your domain, which is currently at Moniker.
2) Unlock the domain and initiate a transfer out to another registrar.
3) After payment has been received, push the domain into the buyer's Moniker account.
4) The buyer will not be able to stop the transfer because he cannot activate the domain lock.
5) Wait for the transfer to complete. You then have both the money and your domain.
To avoid something like this happening again, Moniker must not allow a domain push to another account as long as there is an active transfer request for that domain name, or they must not allow a domain to be transferred away after it was pushed into another customer's account when that transfer has been initiated by the previous owner.
Moniker, I still believe you can do better than this! Please remove this security vulnerability. Thanks.
