Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Domain summit 2024

moniker Moniker Security Hole

This is a discussion about the domain name register/company Moniker.

dodo1

DNF Addict
Legacy Exclusive Member
Joined
Jun 18, 2003
Messages
1,422
Reaction score
8
Feedback: 50 / 0 / 0
I think I discovered a serious security hole at Moniker. At the end of last week I purchased a domain from a DNF user, which was successfully pushed into my Moniker account upon payment. I then tried to lock the domain and update the whois information, but Moniker's system would not allow me to do so because apparently the domain status was "in transfer". However, I had not initiated a transfer away from Moniker myself!

After the week-end the domain was gone from my account. I found out that it had been transferred out to another registrar. Fortunately for me, it was the seller of the domain who must have initiated the transfer to the other registrar a few days before the sale. He must have forgotten about it. I contacted him and he pushed the domain into my account at the other registrar. All fine. Great seller. The problem is that something like this would never have happened if Moniker still cared as much about the security of their customers' domains as they used to before things started to go downhill around 2010.

Correct me if I'm wrong, but the above example looks very much like a step-for-step manual on how to steal a domain from a Moniker account after a domain push:

1) Find a buyer for your domain, which is currently at Moniker.
2) Unlock the domain and initiate a transfer out to another registrar.
3) After payment has been received, push the domain into the buyer's Moniker account.
4) The buyer will not be able to stop the transfer because he cannot activate the domain lock.
5) Wait for the transfer to complete. You then have both the money and your domain.

To avoid something like this happening again, Moniker must not allow a domain push to another account as long as there is an active transfer request for that domain name, or they must not allow a domain to be transferred away after it was pushed into another customer's account when that transfer has been initiated by the previous owner.

Moniker, I still believe you can do better than this! Please remove this security vulnerability. Thanks.
 
Domain summit 2024

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

AucDom
UKBackorder
Be a Squirrel
MariaBuy

New Threads

Our Mods' Businesses

UrlPick.com
Free QR Code Generator by MerchArts

*the exceptional businesses of our esteemed moderators

Top Bottom