- Impact
- 162
Sometimes I forget my Customer ID # at GoDaddy. I did this today and went through the whole retrieval process only to discover that this presents a potentially major privacy concern... Admittedly, this may only effect a very small % of domainers, but I want to make those who are effected by it aware of the issue so they can take steps to correct it.
In the Customer ID # retrieval process, you are able to enter any domain registered at GoDaddy and it will then take you to a page asking you to verify your email address associated with your GD account. It then lists your email address, well, partially...
EX. ******@domain.com
Now in most cases, this is not really any issue at all, however consider the following. You own Domain.com. You use [email protected] as your main contact email for your GoDaddy account. You also use this domain as the contact email for the Whois for all of your domains. And since you conduct business with this domain, you don't use Whois Privacy.
But now lets assume you have a few domains that you don't want anyone to know you own, so you decide to use Whois Privacy to protect your details.
The privacy flaw comes with the fact that all of your domains are linked to your main email account on record with GD, including those that use Whois Privacy. So all someone would have to do is enter your "private" domain on the Customer ID # retrieval page, which will then list the email associated with that account (well, the domain at least). Then it's as simple as doing a Whois lookup on that domain and getting all of your info.
I know this may sound overly paranoid and as I said, it may only effect a very small % of domainers, but I think we can all agree that when we pay for a privacy service (especially $7?? a year at GD), it should be 100% private.
* Just for the record, I am paranoid, but I don't use Whois Privacy
In the Customer ID # retrieval process, you are able to enter any domain registered at GoDaddy and it will then take you to a page asking you to verify your email address associated with your GD account. It then lists your email address, well, partially...
EX. ******@domain.com
Now in most cases, this is not really any issue at all, however consider the following. You own Domain.com. You use [email protected] as your main contact email for your GoDaddy account. You also use this domain as the contact email for the Whois for all of your domains. And since you conduct business with this domain, you don't use Whois Privacy.
But now lets assume you have a few domains that you don't want anyone to know you own, so you decide to use Whois Privacy to protect your details.
The privacy flaw comes with the fact that all of your domains are linked to your main email account on record with GD, including those that use Whois Privacy. So all someone would have to do is enter your "private" domain on the Customer ID # retrieval page, which will then list the email associated with that account (well, the domain at least). Then it's as simple as doing a Whois lookup on that domain and getting all of your info.
I know this may sound overly paranoid and as I said, it may only effect a very small % of domainers, but I think we can all agree that when we pay for a privacy service (especially $7?? a year at GD), it should be 100% private.
* Just for the record, I am paranoid, but I don't use Whois Privacy
