This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Allowing Domains or Accounts to Expire
From OWASP
This page contains draft content that has never been finished. Please help OWASP update this content! See FixME.
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (03/12/10): Template:MAR/Template:12/Template:2010
Vulnerabilities Table of Contents
Description
Through neglect an administrator may allow a domain name or e-mail account to expire. Domains have a significant grace period for expiration, and e-mail addresses using free services such as Yahoo may expire after several months of not logging in.
Risk Factors
- The biggest risk involved is if you have an e-mail server on a domain that is allowed to expire. The more users there are, the more personal information you are putting at risk when they use those e-mails as backup e-mails for accounts on websites. An attacker can simply purchase the domain and setup a mailserver. By analyzing the spam coming in, they can determine the actual usernames people used on the domain and possibly what services they used with those e-mails.
- Considering that, you should be careful only to use e-mails hosted on domains owned by companies that don't show any sign of going under in the future.
- There is very little recourse if a malicious entity has purchased your domain. They can sell it back to you for however much money they want to charge. Even if you have grounds for a lawsuit, it can take months at least.
- If you have applications(especially no-longer supported) sending data to a domain, if an attacker buys the domain they can gather personal information from your users.
- Domains most likely to expire are those belonging to projects or companies that no longer exist.