20i Reseller Hosting

Registrar registering .uk without permission

Discussion in '.UK Domain Name Consultations' started by bluerock, Oct 16, 2014.

Thread Status:
Not open for further replies.
  1. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    If the OP had clicked the link the domain name would still have been legally registered to him using his details. It would then require the complicity of the registrar to change the admin-c so the person who had paid for the .uk 2LD registration could login to Nominet Registrants Online and pay for a transfer, unless the person also managed to persuade an accredited channel partner to change the registrant details.

    What's the exact text of the confirmation email that Nominet send out?

    Added: seems smart to use an email address that nobody except you and Nominet will know for your admin-c.
     
    Last edited: Oct 17, 2014
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    articles.co.uk
     
  3. bluerock

    bluerock Well-Known Member Full Member

    Joined:
    Jan 2005
    Posts:
    9,000
    Likes Received:
    56
    On the registrar data compliance the email, address and telephone must match. As the attempted registrant did not know my phone number they put another number in. The data compliance therefore could not match yet it went further.
     
  4. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    I'm not seeing a requirement for the telephone number to match within the document I've referenced. :) Where are you seeing this stated?


    (from iPad - K)
     
  5. BurtyB

    BurtyB Member

    Joined:
    Aug 2008
    Posts:
    15
    Likes Received:
    6
    Sadly in some cases it's fairly easy to go one step further than what happened to you in this case and register a domain on the same tag which will bypass the authorisation email.

    1) "Mr Thief" wants to register example.uk, a whois later they know the registrar is "Example Registrar".

    2) They check the whois for example.TLD (com/net/etc) and find it doesn't use privacy protection and is registered in the same name as example.co.uk (and address if it isn't opt-out).

    3) They then plug the registration details including the email address shown on the example.com whois into Fasthosts and start the registration process for example.uk. If they don't see the "Please correct the highlighted fields." warning they've validated the registrant details (any site that checks via the API would probably work to validate the example.co.uk registrant details).

    4) Go to "Example Registrar" and add example.uk to the cart using "Mr Thiefs" contact details for the client information, specify a new contact for the domain registration and enter the example.com whois registrant information validated above.

    5) Pay for the domain...

    6) No validation checks are done as the registrant information matches and it's on the same tag so all they need to do is update the contact details on the domain to "Mr Thief" and they've registered a .uk they didn't have the rights to.

    All very simple to automate if anyone wanted to find a list of .uk domains they could easily hijack.

    Nominets opinion on this is "Registrars are responsible for ensuring second level registrations on their tag are made legitimately" - aren't we the lucky ones!

    Looks like I'll be changing all of my domains to use unique email addresses tonight...

    Chris.
     
    Last edited: Dec 2, 2014
  6. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    So this reduces the pool of .uk domain names that could potentially be hijacked down to ones where there's one in a gTLD that likely uses the same administrative email address, published in that gTLD's WHOIS. Still likely to be a significant number, of course.

    Sorry, what's "the PI"? :)

    Is it actually possible to do this part and specify a different contact to the one listed for the 3LD, though? Isn't part of the registration process the requirement for the domain name to be actually registered to the same Registrant? See 2a here.

    I am still not absolutely sure this would work in practice, based on reading through the document I've referenced. Obviously it could be good practice to use an unpublished email address for the admin-c and keep valuable domain names on a registrar tag controlled by oneself or a trusted registrar.
     
  7. bluerock

    bluerock Well-Known Member Full Member

    Joined:
    Jan 2005
    Posts:
    9,000
    Likes Received:
    56
    Its on 2b. Its the last entry under "registrant details".
    "Do details meet Data Completeness Check? (address, email, telephone)"

    They did not know my number so used a false one.
     
  8. BurtyB

    BurtyB Member

    Joined:
    Aug 2008
    Posts:
    15
    Likes Received:
    6
    Last night I tried it with one of my co.uk domains which I manage via WHMCS (I'm sure it could be done via other systems too it's just that is how I manage my domains). I added an order for the .uk domain to the cart (as a user) using a crafted URL (bypassing the domainchecker which would say the .uk domain already existed). Used a set of test information for the client (including a different name/email address/etc.) and then selected to use alternate contact information for the domain registration and entered the details from a .com domain whois. This results in the domain being registered and the only email address that gets sent any kind of notification is the one of the "test user" not the registrant of the .co.uk domain.

    Chris.

    Hmm Pie... or was that API.
     
  9. jasman United Kingdom

    jasman Active Member

    Joined:
    Jul 2006
    Posts:
    809
    Likes Received:
    31
    When you say the only email address that gets sent any kind of notification is the one of the "test user" not the registrant of the .co.uk domain, was that the email from Nominet with the link to approve it? Or was it some other email and the email with the link is still to come? Is the domain you registered stuck in "suspended" status?

    From following this thread, I thought the email with the link gets sent to the .co.uk's admin email and worse case is domain gets created, remains suspended for 7 days then cancelled if the .co.uk admin email owner doesn't click the link to approve (and Nominet need to urgently make sure future registration is once again restricted to the .co.uk/ rights owner if that isn't currently the case).

    Or did you manage to bypass the above procedure and get an unsuspended .uk without the .co.uk admin email being involved at all?
     
    Last edited: Oct 17, 2014
  10. BurtyB

    BurtyB Member

    Joined:
    Aug 2008
    Posts:
    15
    Likes Received:
    6
    The only email sent is from my billing system (WHMCS). There is no email from Nominet if the .uk domain is registered on the same tag as the .X.uk with rights (see 3b from the Nominet pdf linked earlier) so after ordering the .uk domain it was live, in the zone and resolving (and the .X.uk registrant wouldn't have any clue).
     
    Last edited: Oct 17, 2014
  11. jasman United Kingdom

    jasman Active Member

    Joined:
    Jul 2006
    Posts:
    809
    Likes Received:
    31
    OK thanks for clarifying. So to summarise, beware of Nominet emails with a link to approve the creation of a .uk version of one of your domains. And watch out if you have domains held at a registrar open to the public - keep your admin email secret.

    Presumably then if

    a) you have your own tag just for yourself and
    b) should you receive any Nominet emails asking to approve a .uk request from some other tag/ registrar, you make sure you never click on them

    ...it is not possible for someone else to create a .uk version of one of your domains on your tag?
     
  12. Retired_member41

    Retired_member41 Retired Member

    Joined:
    Mar 2010
    Posts:
    3,443
    Likes Received:
    55
    Does it mean someone could create accounts with fasthosts 123-reg domainmonster etc and when a domain is about to drop, say about now on the day of the drop, register the .uk

    There would be no domain to revert it back to, as the .co.uk would have dropped and been re-registered.

    Unless nominet only allow you to register a .uk from a matching right when not suspended?
     
  13. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    Would you be likely know the admin-c email address used by the 3LD domain name that was dropping, therefore allowing you to validate for the .uk 2LD?
     
  14. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    To clarify fully is the .uk 2LD that is registered on the same registrar tag as the 3LD that had the Right, in your experiment, registered to the same Registrant as the 3LD that had the Right or can it be registered to a different Registrant? I realise the .uk 2LD is registered using a different admin-c email address, but I am not sure whether you are claiming that it is possible to make the registration to a totally different Registrant.
     
  15. BurtyB

    BurtyB Member

    Joined:
    Aug 2008
    Posts:
    15
    Likes Received:
    6
    Initially the 2LD would need to be registered with the same registrant details as the 3LD, but there's nothing to stop Mr thief changing them and/or pushing it to a different tag afterwards and waiting to see if they get caught.

    I would much rather Nominet emailed the registrant with rights in ALL cases (even if it was just a notification) rather than just those with a tag mismatch to prevent this being an issue that could go unnoticed for some time.

    Chris.
     
  16. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,260
    Likes Received:
    93
    I concur that on the face of it it would seem sensible for Nominet to email the admin-c email address associated with the 3LD that had the Right to the .uk 2LD in all cases including when the .uk 2LD is registered at the same registrar tag as the 3LD with the Right.

    The flaw is possibly not because of anything in Nominet's own registrants online system but to do with separate customer account systems that some registrars operate themselves. Those separate customer account systems seemingly let someone create a customer account at the registrar using any email address they control and then permit the customer account operator to make an application to Nominet for a .uk 2LD with data that might be known to them but without any requirement that the data supplied is verified as theirs. Although the .uk 2LD is registered to the same registrant as the 3LD which had the Right to the .uk 2LD in Nominet's own systems, the registrar would have permitted a customer (e.g. "Mr Thief") to make the .uk 2LD registration using a customer account other than the one that manages the 3LD that had the Right, hence the registrant details of the .uk 2LD could possibly be amended on a subsequent occasion. This would depend on what the registrar's customer account allowed the customer to do. If they allowed the admin-c email address of the domain name within Nominet's own systems to be changed then the registrant could change the Registrant assuming the Registrar wasn't Accredited and couldn't offer to do it for the customer directly.
     
Thread Status:
Not open for further replies.