A Domain is under Control of two Separate Account Dashboards!!

Darkniight · Jan 18, 2023

Sav expired domains usually leave the dashboard 1 month after expiry. But, I've got a domain expired on 23/10/2022, which hasn't left my dashboard yet.

Out of curiosity, today I checked the whois, and found out that it was re-registered on 13/01/2023, and currently listed for sale by someone else for $12,988.

Interestingly, currently used Name Servers are also showing in my SAV dashboard, which are different than my Name Servers. I have never used Bodis.

So, it got me more curious and I checked the Auth Code by creating a Transfer Order in Dynadot. To my surprise, Dyna accepted the Auth Code. I didn't place the order though.

So, it seems the domain is active and currently under control in two separate SAV accounts. How is that even possible? If this is the case, then it indicates a severe flaw in Sav's system.

Or am I missing something here?

@Nick R

Darkniight · Jan 18, 2023

Update: I changed the Name Servers to check whether it affects the domain or not. It did!!
Definite proof that I can control the domain that I no longer own.

Charizard · Jan 19, 2023

Wow, this is huge. I guess they need security audit before some breach happens…

pb · Jan 19, 2023

I also had in my account a domain that expired half a year ago and was re-registered by someone else at sav, but today it's gone, maybe after your post?

Darkniight · Jan 19, 2023

pb said:
I also had in my account a domain that expired half a year ago and was re-registered by someone else at sav, but today it's gone, maybe after your post?

My one still remains.

kor · Jan 19, 2023

My account also has domain names that expired months ago. I've been aware of this issue for a long time, but I didn't tell them. I'm waiting for this thing to explode in their ass.

There has been the following problem for about 2 years; domain names are disappearing from the account out of nowhere and they still haven't been able to find a solution to this problem. In case you realize that your domain name has flown from your account, you need to open a ticket and report it, days later the domain name returns to your account as a surprise.

However, they have only one job to do: DOMAIN!

It is quite obvious that they have no idea about fundamental principles of programming. If I look at the source code of the framework (codeigniter) they use, I'm pretty sure I can find dozens of vulnerabilities.

pb · Jan 19, 2023

kor said:
There has been the following problem for about 2 years; domain names are disappearing from the account out of nowhere and they still haven't been able to find a solution to this problem. In case you realize that your domain name has flown from your account, you need to open a ticket and report it, days later the domain name returns to your account as a surprise.

Wait, you need to *realize* that your domain disappeared? Half of my domains I could swear I see for the first time when the renewal comes, how am I supposed to notice that one is missing?

kor · Jan 19, 2023

pb said:
Wait, you need to *realize* that your domain disappeared? Half of my domains I could swear I see for the first time when the renewal comes, how am I supposed to notice that one is missing?

Well, that's the tricky part.

I realized the situation when I could not find a domain name that I had sold in my account to initiate the transfer process.

Following this incident, I wrote a small script that regularly cross-checks entries in my local database, email invoices, and records in my SAV account.

Darkniight · Jan 20, 2023

pb said:
Wait, you need to *realize* that your domain disappeared? Half of my domains I could swear I see for the first time when the renewal comes, how am I supposed to notice that one is missing?

This is the case for most of us. How is that possible to keep track whether a domain is missing or not.

Nick R · Jan 24, 2023

We are aware of some domains that should have expired from users' accounts but were not deleted properly. We are working with the registry to get these expired domains deleted and removed from users' accounts as expected. This should be resolved in the coming days.

Namingfy · Feb 4, 2023

Nick R said:
We are aware of some domains that should have expired from users' accounts but were not deleted properly. We are working with the registry to get these expired domains deleted and removed from users' accounts as expected. This should be resolved in the coming days.

The issue reported below is a SERIOUS SECURITY ISSUE.

Darkniight said:
Update: I changed the Name Servers to check whether it affects the domain or not. It did!!
Definite proof that I can control the domain that I no longer own.

Darkniight · Jan 7, 2024

Reporting back after almost a year. That domain, which is not owned by me, still remains in my account in Sav. I can still change the nameservers, turn the whois privacy on and off, lock and unlock the domain and see the Authcode.

I have all these access for a domain that belongs to someone else, which is listed at $12,998.

How come such a massive security threat has not been taken care of yet!!

A Domain is under Control of two Separate Account Dashboards!!

More options

Darkniight

Established Member

Darkniight

Established Member

Charizard

Established Member

pb

Top Member

Darkniight

Established Member

kor

Restricted (50-70%)

pb

Top Member

kor

Restricted (50-70%)

Darkniight

Established Member

Nick R

VIP Member

Namingfy

Established Member

Darkniight

Established Member

Attachments

Similar threads

We're social

New posts

Auction activity

What non .com extensions have you sold in 2024?

Polls of interest

Popular this week

Community favorite

Popular this month

Blog favorites

Pinned

Appreciation

Agreement