This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Allowing Domains or Accounts to Expire

Jump to: navigation, search
This page contains draft content that has never been finished. Please help OWASP update this content! See FixME.

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (03/12/10): Template:MAR/Template:12/Template:2010

Vulnerabilities Table of Contents


Through neglect an administrator may allow a domain name or e-mail account to expire. Domains have a significant grace period for expiration, and e-mail addresses using free services such as Yahoo may expire after several months of not logging in.

Risk Factors

  • The biggest risk involved is if you have an e-mail server on a domain that is allowed to expire. The more users there are, the more personal information you are putting at risk when they use those e-mails as backup e-mails for accounts on websites. An attacker can simply purchase the domain and setup a mailserver. By analyzing the spam coming in, they can determine the actual usernames people used on the domain and possibly what services they used with those e-mails.
  • Considering that, you should be careful only to use e-mails hosted on domains owned by companies that don't show any sign of going under in the future.
  • There is very little recourse if a malicious entity has purchased your domain. They can sell it back to you for however much money they want to charge. Even if you have grounds for a lawsuit, it can take months at least.
  • If you have applications(especially no-longer supported) sending data to a domain, if an attacker buys the domain they can gather personal information from your users.
  • Domains most likely to expire are those belonging to projects or companies that no longer exist.