So someone with access at Epik could login as a customer, then push a domain to another account in theory?
Could they make other domain or account changes?
They could but it was still logged.
What does that look like in the system? Does that look like the customer moved the domain or made the changes?
No it was logged as the employee account did it; but these changes were usually not shown in the customer portal. (Maybe it was still visible from the task list though)
All login as were also logged but it went a lot further, every API call was logged.
When a domain search was made for instance, a push started, ..
How did my domain PianoMoving.com move to another account after about a month of ownership?
It was clearly done internally by Epik, as only they had access to do it.
If you didn't do it, then yes. However it wasn't needed to use the "login as" feature to achieve this. There was a "Push to account" feature inside of the admin directly; this was faster to do a push. (You searched for a domain, accessed its details page then clicked a push to account link, it requested the new account email and that's it)
Epik should be able to produce all of these records.
They should be able to provide them to a court or ICANN. Now I don't think they would release them to a customer directly.. Depending on when the domain left your account, you could try to look into the epik data leak (if it happened after)
1) When you did a "login as" to a customer account were you able to edit their account - CC details, domain transfers, masterbuck transfers as that customer?
CC details, domain transfers; Yes (You couldn't see the existing card's CVC though)
But not masterbucks transfers. What you could do is spend their masterbucks on epik products BUT this would show in the Masterbucks page inside of Epik and you needed to have a good reason to do this, you can't spend users' funds for no reason. I was very careful when interacting with the in-store balances as well.
2) Did you or other admins have access to all logs or only your log report?
I had access to all logs but I was admin. It's possible users with less privileges couldn't see it at all.
3) Where both the registry and registrar dates displayed in UI for users?
The user portal showed the registrar date, just like Epik's WHOIS. To get the registry date you can easily get it from the registry (See
https://lookup.icann.org/en)
4) So epik updated in real time when user tries to renew but the registry renewal could take more time. Was there a way to verify the registry date and update registrar date through some cron job? How would they know if registry failed to update record?
The registry renewal could take more time because of how the system was created, it's a normal behavior. (A queue system because it had to be sent by EPP, and there was a pool of processes connecting to EPP picking tasks from the system and reporting their result when done) - It's also great because it allows to scale easily.
If a task failed, for any reason, it would create an error in the task system. There was a page inside of the admin showing all failed tasks and we could easily restart them if needed.
Also important to note that a task could failed for many reason, for example if the registry thought your address was invalid, they could refuse to do your registration and that created an error.
5) Do you know how many admin types there were and was there a super admin and that account show up in log reports as well?
I think there were super admins but for something to not show in the reports, the changes had to be done either outside of the admin or be subsequently erased by accessing the DB manually.
This wasn't very frequent because it's not a good use of tech ressources.