A leak at DiscountDomainRegistry.com was recently discovered completely by accident after a link to the site led to an error involving execution rights on a MySQL directory. As a result, anyone could have viewed sensitive financial and personal information related to thousands of domain name registrations.
A database problem with a U.S. domain name registrar exposed sensitive financial and personal information related to thousands of domain name registrations, reports ComputerWorld.
New York-based DiscountDomainRegistry.com quickly rectified the problem after it was informed by the Dutch firm Strongwood. According to the registrar, no one managed to gain access to any of the sensitive client data that was compromised.
The problem with DiscountDomainRegistry.com’s database was discovered by a systems engineer at Strongwood, who was researching .eu domain names. When he clicked on a link within DiscountDomainRegistry's site it led to an error involving execution rights on a MySQL directory. A script plus other programming was visible that allowed for a connection to the database, which contained credit card numbers, usernames, passwords and other information.
When Strongwood contacted DiscountDomainRegistry.com an official there initially refused to believe that such an error was possible. Only when the official was told his own password was the registrar company convinced there was a problem.
The error is though to have existed on the site for up to four months. As well as the theft and sale of confidential data, intruders could have altered the IP addresses associated with the Web sites registered with DiscountDomainRegistry.com to make more money from those firms’ clients, otherwise known as phishing scams. According to Strongwood, if news of the error had reached the criminal world, the registrar could have suffered losses running into millions of dollars.
“Despite the fact that the potential leak was caused by a breach in the software, there appears to be serious problems with the registrar’s IT security policy. Obviously, any database containing confidential client information that is connected to the Internet has to be subject to particularly thorough controls. But this vulnerable link handed all the private details to users literally on a plate. Anyone could have found it all that time the registrar thought everything was in order. It would have been sufficient to check the links on the site to expose the problem," says Denis Zenkin, marketing director at InfoWatch.
Source: ComputerWorld