[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au
Seamus Ryan
s.ryan at uber.com.au
Thu Mar 20 16:45:53 EST 2014
Yup
http://www.ausregistry.com.au/tools/recover-password
Sends the password to the registrant, via email, in plain text. MelbourneIT (or any registrar for that matter) could do all the hashing or encrypting of the domain password they want, you would still be able to use that Ausregistry page to obtain the password in plain text. Granted there have been recent improvements to .au domain security (such as .auLOCKDOWN) to protect against unauthorised domain modifications, that isn't what we are talking about here.
It's nothing new.
- Seamus
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Shane Short
Sent: Thursday, 20 March 2014 4:34 PM
To: Robert Hudson
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au
I think you'll find Ausregistry stores them in plain text, too. I had one for a domain I'd planned to transfer a while ago.. went to the Ausreg page to get it sent to me and I got the same password sent to me (so it's obviously not regenerated when you request it). I think it's probably unfair to target Melbourne IT specifically.
[cid:image001.jpg at 01CF445B.DB435750]
Robert Hudson<mailto:hudrob at gmail.com>
20 March 2014 9:47 am
Sorry to drag this old thread up - but I can confirm that MelbourneIT aren't alone in storing domain auth passwords in cleartext - I've just received an email from Europe Registry (http://www.europeregistry.com/) with a domain auth password contained within it in cleartext.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
[cid:image001.jpg at 01CF445B.DB435750]
Peter Lawler<mailto:ausnog at bleeter.id.au>
11 March 2014 4:45 am
It occurs to me that some on noggers may not have previously been aware of this. But now that it's 'in the news', etc.
http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/b13e9390/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 770 bytes
Desc: image001.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/b13e9390/attachment.jpg>
More information about the AusNOG
mailing list