Allowing Domains or Accounts to Expire

De OWASP
Saltar a: navegación, buscar

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (03/12/10): Template:MAR/Template:12/Template:2010

Vulnerabilities Table of Contents

Description

Through neglect an administrator may allow a domain name or e-mail account to expire. Domains have a significant grace period for expiration, and e-mail addresses using free services such as Yahoo may expire after several months of not logging in.


Risk Factors

  • The biggest risk involved is if you have an e-mail server on a domain that is allowed to expire. The more users there are, the more personal information you are putting at risk when they use those e-mails as backup e-mails for accounts on websites. An attacker can simply purchase the domain and setup a mailserver. By analyzing the spam coming in, they can determine the actual usernames people used on the domain and possibly what services they used with those e-mails.
  • Considering that, you should be careful only to use e-mails hosted on domains owned by companies that don't show any sign of going under in the future.
  • There is very little recourse if a malicious entity has purchased your domain. They can sell it back to you for however much money they want to charge. Even if you have grounds for a lawsuit, it can take months at least.
  • If you have applications(especially no-longer supported) sending data to a domain, if an attacker buys the domain they can gather personal information from your users.
  • Domains most likely to expire are those belonging to projects or companies that no longer exist.