back to article 300 UK domains pilfered, MASSIVE security lapse blamed

What appears to be a glaringly obvious security hole has been blamed for the snatching of 300 domains hosted by one web-hosting firm last year, The Reg has discovered. A source told El Reg that anyone with a hosting package from 123-Reg, and hence an account control panel, simply had to change the final section of the URL …


This topic is closed for new posts.
  1. Stephen 2

    123-Reg admin panel sucks hard

    It's always been so terrible. Constantly kicks you out because the various parts don't play nicely with each other. Easy to access other peoples details/domains as mentioned in this post and it's generally just a huge pile of wank.

    1. andy 103

      Re: 123-Reg admin panel sucks hard

      You're not kidding. In web development circles the 123-reg control panel is regarded as the best example of how NOT to develop a web application. Usability isn't a word they've heard of and it seems that also applies to security.


  2. jubtastic1

    That's ridiculous

    Just plain asshattery, whoever coded that admin panel needs their computer operators licence revoked.

  3. Spender

    That's just astonishingly negligent. I'm taking my custom elsewhere with immediate effect (it will be my next action after posting this message).

    Those morons don't deserve my business. Thanks for the heads-up, reg.

    1. Anonymous Coward
      Anonymous Coward


      Negligent on their part, yes, but you clearly didn't do any basic due diligence either. If this is such an obvious problem you everyone else should have seen it too.

      1. Anonymous Coward
        Anonymous Coward

        Re: Err...

        "you clearly didn't do any basic due diligence either"

        Are you suggesting we security test every web application we use? What happens if they fail the test and you find yourself up in court for gaining unauthorised access to a computer/network?

        A certain expectation and level of trust is assumed when you do business with anyone, 123-Reg have breached that trust and Spender is well within his/her rights to be peeved.

        1. Anonymous Coward
          Anonymous Coward

          Re: Err...

          No, but I am suggesting that if you chose a service which had an apparently glaring problem such as this, and a service which has a row of commentators queuing up to slag off all over the Internet, then you probably got what you paid for.

          A few web searches could constitute due diligence, rather than a full on pen test.

  4. Unlimited

    They still have customers?

    Why do people continue to do business 123-reg? Their service was always appalling.

    1. Anonymous Coward
      Anonymous Coward

      Re: They still have customers?

      Because it is easy as 1 2 3.

      #1 You sign up,

      #2 You enter in the addressbar,

      #3 The domain is yours

    2. Anonymous Coward
      Anonymous Coward

      Re: They still have customers?

      They're cheap when you start wanting to use their name servers for your hosting, and their DNS setup is simple. Not sure how many people are dumb enough to use them for hosting.

      Their name servers are good. I've had no end of clients who use the name server in their hosting package which are two references to their own VPS.

      Oh, and their service is still a mile better than GoDaddy, who set the industry baseline in being tools.

  5. tin 2

    123-reg's control panel has been broken in a number of ways for a few months now, notwithstanding the effort maybe a year ago to update it to something that looks modern, bolted onto the top of their old control panel. I've paid for renewals I didn't want to with them because I couldn't get the domains transferred out with bits of the registrar lock and admin details panels being broken at various times.

    Of course I cant say if the weakness exploited is part of the new or the old CP. I hope it's actually the new one. The old one was boring plain but entirely functional, and remnants of it are clearly underneath parts of the new one.

    Now for example if you're a heavy user of email forwarding, an small old rather long webpage is replaced by (in my case) a 1MB, 40,000 line behemoth of javascript which will show a whole 10 email dresses (while the rest are in the source, but need to you click to see them). It also nicely puts ellipses in email addresses making them impossible to read, usually replacing no letters at all, just for a laugh.

    If this security problem affects as it would seem (Nominet's involvement) that 123-reg has "terminated our registrar agreement with one registrar" seems BS, as they indeed have, but I understand it's their upstream .com registrar (which in itself has causes nightmares for us that have .coms registered through 123-reg). It also seems from the story to make no difference as it's 123-reg's control panel that's at fault, so why they could say they've "worked with our registrars to help them tighten security" also reads as BS.

    Unfortunately 123-reg's marketing/PR have been hundreds of thousands of miles away from what's actually happening on the ground for months (have a ganders at their tweets to and from - complete disconnect). Presumably these statements came from the PR bods sitting there in cloud airy-fairy land.

  6. Frankee Llonnygog

    Broken or not

    My registrar advertises it's a pro outfit, and they manage domain name portfolios for major blue chip companies with highly visible brands. Want to screw up one of those domains and damage that brand? Go to the web control panel, and keep trying username/password combos to your heart's content (you have unlimited attempts). None of that, 'welcome frankee, you last logged in at ... ' nonsense either.

    I won't name the registrar or give the URL of the control panel coz, in this case, obscurity is all the security I've got.

    However, in case any readers recognise that description and work for that company - your portal sucks and its security is pathetic.

    I'd gladly pay more for proper security with, perhaps, a hardware token.

    Same story with my DNS hosting. Even get me started about the Press Team's Twitter accounts have better security than this

  7. Lee D Silver badge

    Bear in mind who they are

    "With its brands 123-reg, Heart Internet, Host Europe, Webfusion, Host Europe Suisse, Domainmonster, RedCoruna and Donhost, the Group has a strong market presence in the UK, Germany, Austria, Switzerland and Spain."

    If 123-reg are negligent like this for years without telling anyone, it's pretty certain that the other companies are just as bad.

    I had no end of rows with 123-reg over a customer's FTP hosting where they just deleted files from an FTP account that only I had access to. Literally, the whole site, just disappeared - all sorts of CGI and back end code gone and all the HTML removed (obviously I had backups, but that's not the point). When I reported it (because it broke the website I'd just made for the client), they then phoned up my client(!) and vehemently shouted me down to my client to the point where relations were very strained all round. I demanded a conversation with their top technical guy and recorded it. I still have the MP3 somewhere, because they were basically phoning up my customers (i.e. the details on the webpage, not the owner/technical contact on the domain) and telling them it was my fault and I'd deleted all their website.

    The technical guy said they'd had no data loss. But they didn't have backups of ANYTHING I'd uploaded over the last six months. Nothing at all. I demanded they change the FTP password on the account because if *I* didn't do it, and I was the only one with the login details, then *SOMEONE* did and I needed to secure the website. 3 years later, the password was still unchanged despite a LOT of requests on my part. They had no FTP access logs AT ALL, to prove me wrong or see if they'd had an intrusion. Nothing. Not even a list of IP's from their authentication system. They could not even tell me when I'd logged in, and I'd given them my IP. The technical guy at least had the decency to start sounding sheepish at the point they realised that they had no way to tell what had happened, and that I probably had more logs than they did.

    The client eventually moved over to a completely different host, and didn't blame me - mainly because they were annoyed at being rung up by someone not associated with them at all who them proceeded to blame the guy they were paying for something they hadn't even noticed up until then - but it's those sorts of things that cost you customers (and initiate lawsuits!).

    It's a shame. For a while, I had hosting and accounts with several of their now-subsidiaries but they've all gone to pot in the intervening years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bear in mind who they are

      We also had a whole site and db wiped out during their control panel updates.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bear in mind who they are

      That'd be an interesting conversation to hear as it's very unusual to get someone properly senior on the phone at any hosting company from the technical side of things

    3. mickey mouse the fith

      Re: Bear in mind who they are

      "I had no end of rows with 123-reg over a customer's FTP hosting where they just deleted files from an FTP account that only I had access to."

      i had so many problems with their ftp that i gave up in the end. Permissions on files randomly changed, certain files just refused to be updated because of some weird read only bit being set and no amount of fucking about on my end would change it. Directories disappearing or refusing to disappear etc.

      The final straw came when my cc expired when i had 4 months left to run on my contract (fully paid up). The buggers tried locking me out of the control panel until i updated it. No way I was going to do that and let them take another years worth automatically.

      In their defense, their staff were always prompt and helpful, shame any fixes they applied were only (very) short lived with the same problems returning within a few days.

    4. Jamie Jones Silver badge

      Re: Bear in mind who they are

      FTP? That may be your problem right there.. Don't suppose you were using telnet for interactive access also?

  8. Anonymous Coward
    Anonymous Coward

    I can't say I'm suprised. If you phone them up they even ask for your password so their grasp of security isn't exactly great.

  9. adam payne

    This is just negligence plain and simple.

  10. Anonymous Coward
    Anonymous Coward

    I noticed a couple of years back that they started offering paid-for subdomains. It was something like £10 for 10 subdomains per year.

    I was confused as I had many subdomains on my domains simply by adding A records (what is www again?)

    It was at the same time that they simplified the DNS control panel and you had to press an extra button to get to the advanced control section.

    Basically, it's an idiot tax for the rubes. Still got many many subdomains without paying a penny extra.

    /anon, because I don't want my domains hacked.

    1. Clive Galway

      That's funny. Kinda like when an ISP offers you static IP(s) for a monthly fee.

      Immediately sets alarm bells ringing that one.

      1. DaLo

        How is that the same?

        There is only a finite number of v4 IPs and they are pretty much all allocated. Therefore how do you get static IPs from your ISP other than by buying them off them or using a different ISP?

        At least with monthly subs people will consider whether they really need them and hand them back at the end of their use.

  11. Gordon Pryra

    Referred to Britain's Information Commissioner?

    Should that not be referred to the local police? Its theft, no?

  12. ArthurGuy

    I reported this hole to 123 reg about a year ago, I wonder when last year this actually happened?

  13. Anonymous Coward
    Anonymous Coward

    It wasn't always like that...

    In the earlier days of me using 123-reg, I did indeed decide to test the security when I saw the URL in a get command and was unable to access another 123-reg account of my employer (which I also had credentials for) and it didn't work. Seems like someone disable the security in the last 5 years. From experience this is usually an internal testing gaff.

    1. Lee D Silver badge

      Re: It wasn't always like that...


      Pretty weak words for something which allows anyone to take over your entire domain without your knowledge, everything from DNS to email to hosting, and make you fight to get it back, and fight more to get it recognised a year after the event.

      And internal testing? That's internal for a reason. A production website with X thousand customers shouldn't be suffering "gaffs" like this, at all. And if you're security is a little button that you turn off when convenient (rather, than, say, proper testing of cookies to ensure that a XSS attack isn't taking place, and checking that user X is not even capable of looking at data for user Y), then it's not security.

      1. Anonymous Coward
        Anonymous Coward

        Re: It wasn't always like that...

        Commenting or a simple "||true" added can produce this behaviour. Forgetting to remove "||true" is a gaff with pretty dire consequences, but still a gaff none the less.

        As for testing, if they only test amended code as opposed to the full product something like that can go unnoticed.

        I'm not saying it's right, I'm saying it could be the consequence of a small error, and that happens.

        1. Anonymous Coward
          Anonymous Coward

          Re: It wasn't always like that...

          Not separating user assets is quite a big "ups" to go unnoticed, wouldn't call it negligence, rather plain and simple stupidness.

  14. Anonymous Coward
    Anonymous Coward

    Areet Gaffer


    an iron hook with a handle for landing large fish.


    a social blunder; faux pas.

  15. Aristotles slow and dimwitted horse

    So if 1-2-3 et al are so bad...

    Who would you recommend for this sort of thing?

    (genuine enquiry as am looking to register a domain name in the near future)

  16. jimjamyaha

    Refuse to acknowlege secuirty issues...

    I had one domain with them that I found out was set to forward to someone else's domain. I had not set this up. Since last year I have been on a tortuous battle to state that I did not make this change and that account security must have been compromised.

    They always deny this and just state that 'the domain forwarding has now been removed' - which obviously it has because I removed it!

    Going to use this article as fodder to force the issue and prob just move all my domains away from them as it seems they have security issues - and a lack of customer service in admitting that something could actually be their fault.

  17. Anonymous Coward
    Anonymous Coward

    Poor old 123reg. FWIW, I've used them for years, and yes, the control panel was made by a retarded fool in his lunch hour, but for the amount I actually use it, it's been fine.

    However, I had to find out about this breach from El Reg - not from the email that 123reg should have sent me. Therein is the core issue - making a technical mistake as they did is pretty crappy, and they shouldn't have made it. However, not dealing with it properly indicates they've got dozens more issues kicking about that they're not fixing either.

  18. Tim Boothby

    Reckless negligence

    The more I think about this, the more horrified I feel about this. A business's domain, dns and email are really, really critical to them.

    Think about what you can do if you can mess with an organisation's DNS. You could set up an impostor website on their genuine domain to use in a phishing attack. You could alter their MX records and intercept all their inbound email. You could point their domain to any other website of your choice. You could proxy their website and intercept all communications to and from it.

    Without any statement from 123-reg on this issue we only have this article for information, but if all three million domains they hosted were vulnerable to this,the potential for compromise of sensitive data here is staggeringly enormous.

    They certainly have a duty to protect customers domains and DNS as these are the keys which protect much confidential information. It also sounds like customers with 123-reg hosted email boxes were vulnerable. I'd say the Information Commissioner should be very interested in this case.

    For such a fundamental basic error to have gone unnoticed smacks of a company where security isn't even on the agenda. Had the developers had any security training, had there been any internal testing or external pen testing this would surely have been picked up. So it seems reasonable to conclude none of this is going on. One might also presume then that they don't have the information to properly investigate this, to determine what other customers might have been affected.

    Given how important control of domains is, to have such a lack of security amounts to reckless negligence.

    There is no comment from 123-reg - they haven't informed customers, haven't replied to my email asking for assurance. Haven't even issued a statement saying the issues are resolved. Haven't warned customers to check their DNS and MX records are correct.

    I would say that Nominet and the other TLD registries are to an extent culpable here too. They should be setting out minimum levels of security for domain retailers which should at minimum include an independent penetration test of their systems and ideally ISO27001 certification.

    I'm left wanting to move my domains away from 123, but being unsure if anyone else in the market is actually any better.

    Very, very shabby.

This topic is closed for new posts.

Other stories you might like