11

Consider a domain that had been in active use for some time but is no longer desired — perhaps the company is out of business or a name change took place years ago, or whatever. The domain registration will be allowed to lapse.

I'm guessing there are potential vectors of attack by "dumpster diving" a second-hand expired domain.

One thing I can think of are user accounts registered using email addresses from the expired domain. I imagine that the new owner of the expired domain could submit email addresses to "forgot password" forms on any site and gain the logins of dormant accounts.

Some critical logins such as banking, hosting or DNS accounts even ask for a secondary email address to help users in case they lose access to their primary email address. In fact, it's often these secondary addresses that get forgotten that they were once registered somewhere. This could leave them exploitable should that dormant secondary email end up in someone else's hands one day.

Are there other known exploits to be concerned about with expired domains?

When planning to vacate a domain, what steps can be done to protect the original users of the domain?

Adi
  • 43,808
  • 16
  • 135
  • 167
Andrew Vit
  • 825
  • 1
  • 6
  • 9

2 Answers2

20

This is a nobrainer. Don't let the domain lapse. Domains are cheap, security incidents are expensive.

Habbie
  • 508
  • 3
  • 4
  • 6
    +1 -- for about $150 you can renew the domain for 10 years. – bstpierre Nov 23 '11 at 14:07
  • Admittedly this is the most pragmatic solution, but in effect it means that any domain registration is done "for life". – Andrew Vit Nov 23 '11 at 23:15
  • 4
    @AndrewVit I would say that if you've grave-yarded a domain for 10 years, it's safe to stop registering after that. Anybody who hasn't gotten the message in a decade can be written off. – Jeff Ferland Nov 24 '11 at 02:16
2

Contact all your users and tell them that you are vacating your domain. Tell them the security risks if they don't update email addresses, etc. Then give them a reasonable amount of time to make the changes.

Another attack avenue would be that an attacker can clone the website, then put it back up and wait for people to try and log in. Again, notifiying your users should fix that, but give them plenty of time. Also, some months/years before vacating the domain, replace the website with a static page stating the same warning info.

mikeazo
  • 2,827
  • 12
  • 29