The world's largest registrar GoDaddy is under fire, after it handed control of a domain name in exchange for no more than a fake ID (and a little bit of good, old-fashioned chutzpah).
Despite no knowing the account's PIN or credit card details or having access to its listed email account, GoDaddy handed over login details to another person's account, giving them the ability to change ownership details or move the domain out of the company's systems to another registrar.
The penetration test was carried out by the CEO of security firm Night Lion Security, Vinny Troia, in response to a challenge from journalist Steve Ragan, and it revealed that despite multiple layers of security GoDaddy remains wide open to social engineering.
Troia was able to get past the request for an account PIN by acting as a frustrated executive and saying he didn't know it. With the last four numbers of the credit card question, he claimed the domain has been registered by his assistant and he didn’t know.
And as for the email address, he explained that there was "a lot of office politics at the moment that I didn’t feel like getting into".
It did take some effort on Troia's part: he faked a social media account and set up a Gmail address to lend credibility. And finally he Photoshopped an Indiana driver's licence, creating a fake ID as evidence of his true identity.
In all it took several emails and phonecalls and four days (over the weekend) but eventually he gained access to Ragan's account with no more than some front and plausible excuses.
GoDaddy did eventually send an email to the domain's listed email address, but only nine hours after the access details where handed over, which would have been too late to prevent the domain being moved beyond Ragan's reach.
Although it did require some effort and know-how, it's troublesome that the world's largest registrar, which has nearly 60 million domains under management and 13 million customers, could be duped in a similar way to the world's most valuable domain, Sex.com, which was stolen way back in 1995.
While it is less likely that Troia would have been successful for an account with large numbers of domains (since GoDaddy tends to assign an account manager to anyone with more than 15 domains under their name) it does show a fundamental weakness at the heart of the domain name system.
Troia said by exposing the security flaw, GoDaddy will "implement tougher verification procedures".
In related news, GoDaddy looks like it will move ahead with its long-delayed IPO. Today it posted an update to the Securities and Exchange Commission (SEC) valuing itself at between $2.6bn and $2.9bn, and proposing a $17-19 per share launch price in the New York Stock Exchange.
The IPO was first touted in 2006 but has been put off repeatedly, most recently when Google announced it was going into the domain selling business. But it now looks as if it will move forward, with GoDaddy execs downplaying Google's move.
The company will have the ticker GDDY. ®