Category Archives: domain register privacy

Researcher finds 670 Microsoft subdomains vulnerable to takeover

Years after it was first identified as a possibility, researchers have found it’s still child’s play to hijack subdomains from companies such as Microsoft to use in phishing and malware attacks.

Researchers at Vullnerability.com were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently forgotten about, including:

  • identityhelp.microsoft.com
  • mybrowser.microsoft.com
  • web.visualstudio.com / webeditor.visualstudio.com
  • data.teams.microsoft.com
  • sxt.cdn.skype.com
  • download.collaborate.microsoft.com
  • incidentgraph.microsoft.com
  • admin.recognition.microsoft.com

And many others, all of which look like the sort of legitimate subdomains users (including Microsoft employees), would be inclined to trust if lured to them by a phishing attack.

Read more in

Hostile Subdomain Takeover using Heroku/Github/Desk + more

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

http://labsdetectify.wpengine.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

CyberSecurity: The privacy policy of Godaddy.com

We all know Godaddy.com & many of us would have used before but not sure if we notice their privacy policy. The privacy policy is something companies always ask but you don’t have a choice to say NO. However, This privacy policy is different.

So Godaddy.com policy suggests that you could register a domain name but not guarantee of keeping your private information safe. You could get spam & scams if you don’t pay some extra amount to safeguard your own profile. To understand in Godaddy.com language, check out below snapshot.

Did you see that? Interesting to know that it is a situation where companies asking to pay more for user privacy. We have been thinking that it is a company or service provider responsibility to take care of their user details & their privacy. But it appears to me that Godaddy thinks differently. There might be a good reason to have this policy but as a user, it is not comforting.

Imagine a case when facebook, google or Apple starts demanding price of users privacy and say look, it is the responsibility of the users to use our services and the user has to pay extra to prevent themselves from any damage. Security & Privacy isn’t free and can’t be given a free service. Question is Is that what we are going to get as a user? Currently, none of organizations or entity has even been liable or punished for any damage. Software providers should be equally responsible for it

Why it is important?

There is whois database where you can get information of every domain. In general, That is the starting point for hackers to gather information about your service, domain & servers etc. More important is that whois database provide every information about the person who owns this domain if the person hasn't paid extra to these domain providers.

WHOIS Link to check information about any domain. https://ca.godaddy.com/whois

godaddy privacy policy
When you search for the domain and add the selected domain to the cart, Godaddy.com shows up their privacy policy for the user in the checkout page. 

Final Thought

The protection of the user privacy & prevent from any damage should be the first objective of any service providers. There may be the case where the domain owner needs to be given to the third party or authority. But does not mean that anyone is authorized to access domain & domain owner information.