Possible Security Exploit in Dreamhost.com Domain Transfers

I’ve been transferring my domains over to Dreamhost.com after Name.com & GoDaddy.com both turned out to be run by complete assholes. ( reference Name.com is doing some really sketchy stuff )

During the Dreamhost transfer process, I noticed an odd behavior and brought it up with their Customer Support team. After numerous back & forths, they don’t seem to understand the issue I’ve brought up. Perhaps you will…

When you receive an confirmation request from Dreamhost at the ‘outbound’ registrar’s email address, you’ll read this message:

Re: Transfer of destroybrooklyn.com

New Dream Network, LLC (dba DreamHost.com) has received a request from

jonathan vanasco

via our web administration panel on 2013-03-18 for us to become the new
registrar of record.

You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.

Please read the following important information about transferring
your domain name:

  * You must agree to enter into a new Registration Agreement with
us. You can review the full terms and conditions of the Agreement at

http://dreamhost.com/tos.html

  * Once you have entered into the Agreement, the transfer will take
place within five (5) calendar days unless the current registrar of
record denies the request.

  * Once a transfer takes place, you will not be able to transfer to
another registrar for 60 days, apart from a transfer back to the
original registrar, in cases where both registrars so agree or where a
decision in the dispute resolution process so directs.

If you WISH TO PROCEED with the transfer, you must respond to this
message via one of the following methods (note if you do not respond
by 2014-03-18, destroybrooklyn.com will not be transferred to us.).

  * please go to our website, 

https://panel.dreamhost.com/ct.cgi?g=SOME_BIG_NUMBER&d=destroybrooklyn.com

    to confirm.

If you DO NOT WANT the transfer to proceed, then don't respond to this
message.

If you have any questions about this process, please contact
support@dreamhost.com.

You might have noted that the text of that email just says “Do you want to approve this transfer from Godaddy to Dreamhost?”. It doesn’t say who at Dreamhost initiated the request. It doesn’t give a “Transaction ID” that can link the request I made when starting this Transfer , to this confirmation request.

The webpage you click onto is equally as cryptic:

Attention: godaddy@2xlp.com
<p>
Re: Transfer of <b>destroybrooklyn.com</b>
<p>

New Dream Network, LLC (dba <a
href="http://www.dreamhost.com">DreamHost.com</a>) has received a
request on 2013-03-18 08:37:23 for us to become
the new registrar of record.

<p>
You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.
<p>
Please read the following important information about transferring
your domain name:

<ul>

<li>You must agree to enter into a new Registration Agreement with
us. You can review the full terms and conditions of the Agreement at
<a href="http://dreamhost.com/tos.html">http://dreamhost.com/tos.html</a>

<li>Once you have entered into the Agreement, the transfer will take
place within five (5) calendar days unless the current registrar of
record denies the request.

<li>Once a transfer takes place, you will not be able to transfer to
another registrar for 60 days, apart from a transfer back to the
original registrar, in cases where both registrars so agree or where a
decision in the dispute resolution process so directs.

</ul>

If you WISH TO PROCEED with the transfer, please click "Approve"
below.  (Note if you do not respond by 2014-03-18, destroybrooklyn.com will
not be transferred to us.)

<p>

<form method="post" action="ct.cgi">
<input type="hidden" name="d" value="destroybrooklyn.com">
<input type="hidden" name="g" value="SOME_BIG_NUMBER">

<input type="submit" name="confirm" value="Approve transfer request">
<input type="submit" name="confirm" value="Deny transfer request">
</form>

<p>
If you DO NOT WANT the transfer to proceed, then ignore this page, or click "Deny" above.
<p>
If you have any questions about this process, please contact
<a href="mailto:support@dreamhost.com">support@dreamhost.com</a>.

While both the email and webpage seem to have “SOME_BIG_NUMBER”, they’re a transaction ID that appears on the email as a query_string, is a hidden value on the HTML page, and something I’ve never seen before during my transfer initiation.

Perhaps I’ve become a bit too security-minded in my age, but this scenario really jumps out at me — if someone knew that I was likely to transfer a domain to Dreamhost ( which is something more than a few people have tweeted about ) , another party could ostensibly try and transfer a domain at the same time — and I would have no idea what I’m approving. Granted, one would need to get a Registrar Authorization Code in order to initiate a domain transfer — but there are plenty of stories online involving email hacking, password guessing, and registrar manipulation to get that done. While the email does state my name, if I wanted to trick someone into giving up their domain… I could just use their public whois data ( or their twitter info ) to have that seemingly populated.

An exploit like this is admittedly an edge case… but it’s possible and there’s such a silly little fix to this sort of situation — giving the transaction a unique id ( which is probably already has ) , and making that ID clear to both the account requesting a transfer and the one approving a transfer.

Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost ?

Could so easily be…

Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost, with the TransactionID 12345 ?
This entry was posted in Thoughts. Bookmark the permalink.

2 Responses to Possible Security Exploit in Dreamhost.com Domain Transfers

  1. Hello there! I am the VP of Product & Development at DreamHost, and your post was brought to my attention. I had my team look directly into the issue, and we have verified that there actually is not a security exploit available in the process you’ve outlined.

    Thanks for bringing it up, it’s always good for us to evaluate and double check our security measures. We’ve put a lot of effort into security over the last few years, including implementing Multi-Factor Authentication, improving encryption of sensitive data, security scanning tools implemented by our security and abuse teams, and more.

    • Jonathan says:

      Thanks for the reply!

      As I said in the title, I was concerned there’s possibly an exploit. It’s not something that I’m sure of. And I’ve explicitly noted that if so, this would be an edge case where someone would need to have knowledge of an incoming transfer, and would have had to grab the authorization code from another registrar. If you search Twitter for “I’m leaving godaddy for dreamhost” or Bing for “Domain HiJacking”. Both of these situations are sadly commonplace . Dreamhost does have measures to keep people from social engineering an auth code, but not every other registrar does.

      I’ve been a happy dreamhost customer for 13+ years now. There are likely systems going on behind the scenes that prevent unscrupulous activities – and I actually do trust you guys.

      Suffice to say, from my perspective, I’m expected to leverage all my trust in you to transfer a domain via a plaintext email & web-page confirmation that lists no specific transaction information. I’m simply asked “Do you want to transfer your domain to Dreamhost?” — and not “Do you want to transfer your domain to Dreamhost , for the Account/Transaction identified by x,y,z?” If you got that email or webpage, you’d be more than a bit concerned — and it would take barely any effort to show users this information and eliminate any doubts.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>