GoDaddy.com Insecurity
by SLEZ
Have you ever looked into how insecure GoDaddy.com really is?
Before I go into detail let's first make something clear. To do this you must have access to someone's GoDaddy account. You cannot say that it is totally impossible for a GoDaddy account to be broken into. Email spam plus careless people are proof of this.
Let's say you somehow got access to a GoDaddy account that you are not the owner of.
All you would have to do is click on "My Account" and any type of information you would need about the person is right in front of you.
In there you will see "My Customer #" which could come in handy. Then by going into "Account Settings" the person's full name, address, city, state, ZIP Code, country, and phone number are displayed.
Now in "Account Security Information" which is under "Account Settings" the email address used under the account is displayed.
Also in "Account Security Information" they were nice enough to display the "Call-in PIN" which is a four digit number that you supply to the Customer Service or Technical Support representative when you call GoDaddy in order to verify your identity and customer account.
The final piece of information you will need in "Account Settings" is "Payment Information" which displays the type of credit card used, the last four digits of the credit card, expiration date, and when the credit card was last used.
What I do not understand is why all this information is being displayed and only protected by one single password.
Someone can simply call up GoDaddy and buy a domain name under someone else's account.
You can even spoof the number you're calling from to the one under the account. GoDaddy will ask you for the information that I have listed above and before adding the domain to your account the sales rep will ask you for the last four digits of the credit card.
Now say someone does this. They can easily make another GoDaddy account and transfer over the domain and if the owner logs into their account there will be no trace of the newly purchased domain name.
Any actions made under the account will notify the account owner via email. Simply by mail bombing the account owner's email with the email address sales@godaddy.com and support@godaddy.com about 500 to 999 times will increases the chance that the person will delete all those emails along with the ones really sent from GoDaddy.com.
Also keep in mind many people use the same password for all their accounts and the same email address for all their business. Even if the person has a different password for their email, with the information displayed in their GoDaddy account you might be able to reset the password. That email address could be connected to an online banking account or even PayPal.
There is no need for this information to be displayed for any reason. Nothing can be 100 percent hacker-proof but having sensitive information out like that isn't a smart move by GoDaddy. To fix this problem all they would have to do is have a security question prompt. If answered correctly, access would be granted to "Account Settings". This might not solve the problem fully but it would make it harder for people to obtain personal information about the owner.
Another security flaw in "Account Security Information" is the "Enable Card on File" option. All you need to do is check the option, confirm the password, and then you can purchase items on GoDaddy.com without a credit card and without calling up to social engineer the sales reps.