Bad news for domain sleuths, Go Daddy finally fixes WHOIS Privacy leaks in Account Retrieval System

Go Daddy Account Retrieval System

Go Daddy has finally fixed a huge privacy leak issue that was first reported and publicized by Abdu Tarabichi back in March: revealing partial e-mail addresses of domain owners. 

The flaw gave anyone the ability to see a partial e-mail address of a registrant, even if the registrant had used Go Daddy’s privacy service, Domains by Proxy, Inc.

For people to see the partial e-mail address, all one had to do was simply try and retrieve a customer number online from Go Daddy’s main website.  In the past, to retrieve a customer number online, you would select a product from a list (for example “Domain Name”), enter a security access code by retyping the graphic number shown on screen, then Go Daddy would display a partially masked email address on the screen that corresponded to the domain name you entered, such as ****email.com.

In fact, it made it somewhat easy for domain sleuths to see which company registered a domain name, that is, if the company happened to use a corporate email address such as ***zynga.com.  

Social gaming giant Zynga finally started using a generic Yahoo! email address in order to keep its domain registrations a better kept secret.  The company regularly uses Go Daddy’s privacy services, but after a number of stories revealed it was the owner of certain domain names, the company switched away from its company address.

The change to Go Daddy’s Account Retrieval System fixes the way that you retrieve customer numbers online. 

Go Daddy now requires you to enter the email address on the account, as an additional step.

Here’s a look at the old way of doing things.  Go Daddy has yet to update its Online Help.

0 comments