I’ve been transferring my domains over to Dreamhost.com after Name.com & GoDaddy.com both turned out to be run by complete assholes. ( reference [Name.com is doing some really sketchy stuff](http://www.destructuring.net/2013/02/28/name-com-is-doing-some-really-sketchy-stuff/) )
During the Dreamhost transfer process, I noticed an odd behavior and brought it up with their Customer Support team. After numerous back & forths, they don’t seem to understand the issue I’ve brought up. Perhaps you will…
When you receive an confirmation request from Dreamhost at the ‘outbound’ registrar’s email address, you’ll read this message:
Re: Transfer of destroybrooklyn.com
New Dream Network, LLC (dba DreamHost.com) has received a request from
jonathan vanasco
via our web administration panel on 2013-03-18 for us to become the new
registrar of record.
You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.
Please read the following important information about transferring
your domain name:
* You must agree to enter into a new Registration Agreement with
us. You can review the full terms and conditions of the Agreement at
http://dreamhost.com/tos.html
* Once you have entered into the Agreement, the transfer will take
place within five (5) calendar days unless the current registrar of
record denies the request.
* Once a transfer takes place, you will not be able to transfer to
another registrar for 60 days, apart from a transfer back to the
original registrar, in cases where both registrars so agree or where a
decision in the dispute resolution process so directs.
If you WISH TO PROCEED with the transfer, you must respond to this
message via one of the following methods (note if you do not respond
by 2014-03-18, destroybrooklyn.com will not be transferred to us.).
* please go to our website,
https://panel.dreamhost.com/ct.cgi?g=SOME_BIG_NUMBER&d=destroybrooklyn.com
to confirm.
If you DO NOT WANT the transfer to proceed, then don’t respond to this
message.
If you have any questions about this process, please contact
[email protected].
You might have noted that the text of that email just says “Do you want to approve this transfer from Godaddy to Dreamhost?”. It doesn’t say who at Dreamhost initiated the request. It doesn’t give a “Transaction ID” that can link the request I made when starting this Transfer , to this confirmation request.
The webpage you click onto is equally as cryptic:
Attention: [email protected]
Re: Transfer of destroybrooklyn.com
New Dream Network, LLC (dba DreamHost.com) has received a
request on 2013-03-18 08:37:23 for us to become
the new registrar of record.
You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.
Please read the following important information about transferring
your domain name:
- You must agree to enter into a new Registration Agreement with
us. You can review the full terms and conditions of the Agreement at
http://dreamhost.com/tos.html - Once you have entered into the Agreement, the transfer will take
place within five (5) calendar days unless the current registrar of
record denies the request. - Once a transfer takes place, you will not be able to transfer to
another registrar for 60 days, apart from a transfer back to the
original registrar, in cases where both registrars so agree or where a
decision in the dispute resolution process so directs.
If you WISH TO PROCEED with the transfer, please click “Approve”
below. (Note if you do not respond by 2014-03-18, destroybrooklyn.com will
not be transferred to us.)
If you DO NOT WANT the transfer to proceed, then ignore this page, or click “Deny” above.
If you have any questions about this process, please contact
[email protected].
While both the email and webpage seem to have “SOME_BIG_NUMBER”, they’re a transaction ID that appears on the email as a query_string, is a hidden value on the HTML page, and something I’ve never seen before during my transfer initiation.
Perhaps I’ve become a bit too security-minded in my age, but this scenario really jumps out at me — if someone knew that I was likely to transfer a domain to Dreamhost ( which is something more than a few people have tweeted about ) , another party could ostensibly try and transfer a domain at the same time — and I would have no idea what I’m approving. Granted, one would need to get a Registrar Authorization Code in order to initiate a domain transfer — but there are plenty of stories online involving email hacking, password guessing, and registrar manipulation to get that done. While the email does state my name, if I wanted to trick someone into giving up their domain… I could just use their public whois data ( or their twitter info ) to have that seemingly populated.
An exploit like this is admittedly an edge case… but it’s possible and there’s such a silly little fix to this sort of situation — giving the transaction a unique id ( which is probably already has ) , and making that ID clear to both the account requesting a transfer and the one approving a transfer.
Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost ?
Could so easily be…
Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost, with the TransactionID 12345 ?