-
-
๐ Domain search now with sales history! ๐ฅณ
Should Enom remove this security hole?
- Thread starter armstrong
- Start date
The views expressed on this page by users and staff are their own, not those of NamePros.
enom has a number of other large problems with the way they do the api security as well.
Best practices for passwords is that they are not even readable by the system admins, as they should never be stored in clear text, or even a reversable cipher.
They already have a feature to enter an account, so why would we need the passwords to service them?
Best practices for passwords is that they are not even readable by the system admins, as they should never be stored in clear text, or even a reversable cipher.
They already have a feature to enter an account, so why would we need the passwords to service them?
Last edited:
- Impact
- 198
Hmmm - I don't really use my Reseller account as a "Reseller" - But I can see your point .......
Can I throw a "What Happens if ?" question in ? - It will help me answer your poll ~
If one of your Sub Accounts was to order something and then "Chargeback" or default some other way - What happens then ? Does enom take the loss or you ??? -
If your Reseller Account is held responsible - I'd be able to see where this function would be helpful - If not .... Dunno ....
Please clarify - As I said , Don't really use mine as such - So I've only got access to my own accounts ~
Can I throw a "What Happens if ?" question in ? - It will help me answer your poll ~
If one of your Sub Accounts was to order something and then "Chargeback" or default some other way - What happens then ? Does enom take the loss or you ??? -
If your Reseller Account is held responsible - I'd be able to see where this function would be helpful - If not .... Dunno ....
Please clarify - As I said , Don't really use mine as such - So I've only got access to my own accounts ~
- Impact
- 254
On a semi-side note: great reason not to have a standardized password as it would give said user access to any account that shares a username with your enom account.
And yes, I think they should remove that feature.
-Allan
And yes, I think they should remove that feature.
-Allan
- Impact
- 3,210
It could be trouble if someone got a hold of your reseller account, but I don't believe this is a security hole or a bug. Remember it's always been a fact that a reseller can access the accounts and domains of sub-retail accounts, and the system is setup that way for a reason. A reseller account basically has 100% control over their sub-retail accounts.
As a reseller, you are supposed to be managing and supporting your sub-retail accounts. Every automated notice comes from you and and those members are supposed to be coming to you for support (not enom). The API has some great features that even let resellers build their own interfaces to eNom and control their sub-retail accounts.
For these reasons, it's very important if you have a eNom retail account that you have gotten it from a trustworthy source. This does not apply to sub-reseller accounts.
As a reseller, you are supposed to be managing and supporting your sub-retail accounts. Every automated notice comes from you and and those members are supposed to be coming to you for support (not enom). The API has some great features that even let resellers build their own interfaces to eNom and control their sub-retail accounts.
For these reasons, it's very important if you have a eNom retail account that you have gotten it from a trustworthy source. This does not apply to sub-reseller accounts.
Control and accountability are two different things. As a reseller, I can already login to my account, then through that enter any of my retail sub-accounts and do whatever's necessary. enom's log will record that these changes were done using the parent reseller account. If instead changes were done by logging in as the retail account, then how is enom to know who made the changes - the parent reseller, or the retail account? If both of them deny it, then there's no way to prove who did what.
- Impact
- 4,070
I think for the reseller this is a convenient feature, however in the wrong hands could be misused I imagine.
- Impact
- 137
From a reseller account you can access a sub account with the resellers login. Hopefully this could be tracked to see who accessed it if something went wrong, somewhat like a master key in a hotel. I do think the personal login should be hidden from the reseller as long as they can gain access with the master login. resellers should have a way to reset or have a password mailed to the account owner, but should never be allowed to see it in plain text.
The way it is, and unscruplous reseller could pass on a login and password to anyone, and it may not be trackable back to them as doing so. I agree with the concern.
The way it is, and unscruplous reseller could pass on a login and password to anyone, and it may not be trackable back to them as doing so. I agree with the concern.
Just in case my main point was missed, I am going to repeat it here.
If enom was following what are considered best practices in this area, even they would not be able to tell you what the password is. Passwords should be stored as a hash only. The clear text should not be even being stored, let alone retrievable by others.
If enom was following what are considered best practices in this area, even they would not be able to tell you what the password is. Passwords should be stored as a hash only. The clear text should not be even being stored, let alone retrievable by others.
theparrot said:
You're right. Remember the case of VY.com? The Netsol account was compromised because of plaintext storage of password & challenge/response codes. Even Namepros (thru VB) has a better password recovery mechanism, where you get emailed a link to change your password. The actual password is never recoverable.
In my exchange with enom, they said, "You can only view your retail sub account passwords." Uh, hello? After I view the password, I can login as the retail account and do anything I want.
Someone asked me what's the point of posting this loophole. Three things: first, so we all understand the risk of keeping domains in a retail enom account (and maybe move to a reseller account); second, with this issue out in the open, enom can't claim to not have known about the risks when the proverbial sh*t hits the fan; third, maybe enom (and other registrars) will read this and improve their security procedures.
- Impact
- 3,210
I can't imagine that this is currently causing much problems because anyone with access to view those passwords already has complete access to those accounts anyway... BUT you make good points about traceability.
I guess when it comes down to it there is seldom a time when the parent reseller needs to know the actual password. A system like we have at NamePros would suffice. The user can retrieve his lost password himself through an automated system, or the admin (parent reseller) can have the option to reset the password on the account.
Reseller accounts are very powerful, and for good reason. Companies like namecheap.com and registerfly use the same types of reseller accounts that you have (with their own custom built API systems interfacing with it). I would not like to see eNom change the permission system at all, but I see the point of plain text passwords being a security concern.
I guess when it comes down to it there is seldom a time when the parent reseller needs to know the actual password. A system like we have at NamePros would suffice. The user can retrieve his lost password himself through an automated system, or the admin (parent reseller) can have the option to reset the password on the account.
Reseller accounts are very powerful, and for good reason. Companies like namecheap.com and registerfly use the same types of reseller accounts that you have (with their own custom built API systems interfacing with it). I would not like to see eNom change the permission system at all, but I see the point of plain text passwords being a security concern.
nicedomain4sale
Account Closed
- Impact
- 2
Oh no, that is really bad.
Your authority over the domain is not safe.
Oh my god, Enom should fixed that bug.
Your authority over the domain is not safe.
Oh my god, Enom should fixed that bug.
Similar threads
New posts โ
-
Iceland1.com- Post by Nitaky
-
eStuttgart.com
- Post by Nitaky
-
Showcase your .si domains (super-intelligence)- 121 posters
- InMy64
-
Openinvesto.com
- Post by ryan2321
Polls of interest โ
-
What are your strengths as an investor?- 186 voters
- 26 replies
-
What's your domain portfolio size?
- 463 voters
- 135 replies
-
How do you think a potential buyer first checks if your domain is for sale?- 509 voters
- 52 replies
Hot this week โ
-
The AI Domain Hangover Might Be Good for the Market- 30 comments
- 42 points
-
.Co domain registry nukes expired domain auctions- 15 comments
- 15 points
-
Hello Dominers. I'd like your feedback on my new project and some support.- 30 replies
- 4 posters
-
The Domain Community: S1 E6 - Explaining Domains to Grandma
- 14 replies
- 18 points
-
World.xyz Sold for $80,000; HealthIq.com for $30,999...- 11 replies
- 8 points
Hot this month โ
-
The $99 Experiment Is Teaching Me More About Domain Liquidity Than Appraisal Tools Ever Did
- 101 comments
- 52 points
-
Loading issues- 68 replies
- 7 points
-
AI vs. SI- 49 replies
- 17 points
-
WTB Robotics Domains .COM's Only
- 45 replies
- 37 posters
-
GCXR.COM - Start:$1 - Now Bid:$161 - Nex Bid:$162 - Now Bin:$199- 51 replies
- 10 points
