GoDaddy is the biggest domain registrar today, with 40 million domain names under their control.
Bob Parsons started small but by 2001 they were already growing by leaps and bounds, having thousands of customers.
Having registered my first domains with GoDaddy in December of 2000, it didn’t take me long to realize that there was something fishy with the user account and password system.
Back then I didn’t have a need to keep all of my domains under the same GoDaddy account, so every so often I’d create a new account which would correspond to a new, incremented customer number. If the browser cookies were deleted, the registration process would provide that new account with a matching numerical password.
So if you were user 123456 the password for that domain registration would also be 123456.
It got even scarier: having deleted all cookies, you could enter one such account number during the registration process and all you had to do was enter the matching number as the password; the contact and billing info of the account holder would be automatically populated.
Back then there was no direct support, one had to post their issue at SupportWebsite.com – so I had to catch GoDaddy’s attention, which I did by making a post with the title “SEVERE security issue discovered!” – GoDaddy emailed me asking for the details.
Barb Rechterman, VP of Development for GoDaddy Software contacted me, thanking me for letting them know of the details. Within days, the security hole was patched and the password allocation system was changed. Nowadays, Barb is the Senior Executive Vice President & Chief Marketing Officer for GoDaddy and I’m glad she did not ignore my emails back then.
When creating an account system, it’s not smart to generate sequential account numbers; but defaulting the password to the same number is simply dumb. The majority of account holders don’t view this as a risk but rather, as a “convenience” and would not bother to change the password, as it was the case with GoDaddy in January of 2001.
Just another story from the vault that might or might not be of interest today – you be the judge. 😀
Well shoot; I found it interesting.
Thanks for the cautionary tale.
Inspiring story, thanks for sharing ! A lot of things we take for granted today.
Interested story! It’s almost 10 years ago.
Good catch and alert. You have really saved Godaddy a loads and you should have been rewarded in a right way (as Google and Mozilla does now)! It will be nice to see registrars also adopt certain reward programs to fix bugs. It seems you didn’t get any from them other than Barb’s attention 😉
Interesting.. 🙂
Bob is one of our invited speakers for our motivation event at URL FEST. I still am looking for someone who wants me to drive some auction business totheir auction site in conjunction with the fest. If I don’t find someone I will just build my own. Although, it was not a business that I wanted to be in. Call me if you want to look a this opportunity.
ernie hemple
801-854-2670
You really saved Godaddy.
If it was someone else, he would probably have tried to hack other’s domains and make money from that.
Well done.
No reward was given – none was asked.
It was all done in order to assist GoDaddy with resolving the issue, as I’ve done with other companies.
Nowadays a lot of such vulnerabilities are announced in public, in order to “force” the companies in question to react and fix the problems. In my opinion, this is not the right approach.
J`acuse!(too). Where is your reward? So unfair. They saved a lot of money. So stingy, man. A voyage somewhere, something like that. This is our world… It doesn`t matter, you are and will be the same honest guy.
Wallace – Because it’s been almost 10 years since and the industry (and GoDaddy) has grown so much, I felt it was the right time to publicly discuss it 🙂
Shailendra Mishra – I never gave it a second thought.
Duras – Exactly. The reward is knowing that you did the right thing.
Theo, I feel your pain… or non-pain.
I suggested directly to Bob back in 2004 that forcing domain buyers to go through a total of 11 “upsell pages” while trying to buy a domain would prevent domain investors from buying domains on GoDaddy.
His assistant answered me, and was wondering how they could do it without incurring major costs. I suggested just including a checkbox that allowed “domain experts” to click to bypass the upsell pages and buy the domains, and just direct those “box” clickers to move straight to the “shopping cart’.
They implemented this system within a week, and all I asked for was $500 in domain renewal credits.
Not sure if that checkbox is still there, but I have become so disgusted with GD on so many levels, I’m slowly moving all my domains away from them. Hey, if you can diminish a powerful woman’s accomplishments in an ALL MALE WORLD OF RACING by making her a “sex symbol”, then as a sponsor, you’re truly a despicable force in making a girl choose between her beauty and her abilities… for DOLLARS.
Sadly, Danica chose the money, the lowlife representation of her, and the idiotic sponsorship money that Bob Parsons offered her to “choose the path of least resistance”. Sex sells. Bob likes that. Powerful women accomplishing substantial achievements in a man’s world, who cares, as long as that woman is displayed in a shower scene, Yes?
Stephen – For the record, I find Danica as exciting as rust on the underside of a race car 😀
Have you checked out Leilani Munter?