While selling a domain name at the NamesCon/RightOfTheDot/Namejet auction I discovered a big security flaw at Enom. But let’s start from the begginning…
I submitted my first domain name in a NamesCon auction this year. It was a 3 letter .org that didn’t go into the live auction. In the silent auction it sold (not for what I was expecting but that is another story) as it had no reserve.
I was then asked to transfer the domain name to Enom before the domain was paid, something I didn’t really like. Nevertheless I did that too. I had some funds in an old Enom account so I made the transfer.
I was waiting for the payment so I would get an email from Namejet to push the domain into their account. But I found out that is not how it works…
While I was waiting for the payment and because of an unrelated email I logged into my account and the domain name was missing. Soon after I received an email from Namejet asking me to submit me my payment details. There was no mention of a push.
I contacted Namejet and this is what I found out.
This is how they always treat domain names that are auctioned in Namejet. Sellers don’t push domain names. But let’s say that this is how they do it.
The problem is that I have no record of the domain being transferred to Namejet or the buyer.
There is no record of a push/transfer between the 2 accounts and I received confirmation email of this push/transfer.
This is a very bad practice and of course a big security threat. I find it unbelievable that a domain name left my account and I have no record.
Even if Namejet takes the domain, there MUST be a record of the push/transfer in my account AND a confirmation email. This is a serious issue and something that any hacker or employee can potentially exploit. A domain name can leave an Enom account and the owner will never know.
I am sorry but the person that designed this system is dangerous. Modern systems have tracking and email alerts for everything. And domain names are the most valuable asset a registrar and registrant can hold. I don’t believe how this was designed and run like this for god knows how many years.
I wonder if all the other people selling domains at Namejet are finding this normal and secure…
When I first told Namejet about the issue they were defensive but at the end they said that they will look into the issue. Not sure if anything will happen as the Enom registrar system is now one of the oldest in the industry with very few improvements in the past 10 years.