Lost password attack!

      No Comments on Lost password attack!

name.com is a registrar that provides private whois service. On their web site they say:

Name.com offers Private Whois Service to protect your online identity. With Private Whois, you can hide your contact information from the public but still receive emails to your personal email address.

But when you go to name.com and click on “Lost your password?”, it asks you for domain name or account name. If you enter a domain name and click on “Get Password”, you get:

An email with information on how to change the password has been sent to the account owner at ‘[email protected]’.

So much for protecting your online identity! All name.com needs to do is say that an email has been sent to the account owner. Otherwise brute-force Lost password attack (has this term been used before?) can be used to get the private email addresses of domain owners. I will send an email to them and ask them to fix the problem.

Leave a Reply

Your email address will not be published. Required fields are marked *