What is at stake after the Sedo intrusion incident

On Saturday, I reported a potential glitch at Sedo that might have generated emails sent to existing users, asking them to confirm their accounts.

Today, Sedo announced in an email, that the welcome email was the result of an intruder to the Sedo web site.

The notification email from Sedo reads in part:

We wish to inform you that on Saturday, 12th April, the Sedo website was compromised by an unknown intruder through a previously unknown security loophole. This resulted in an unauthorized email with the subject “Confirm your Sedo Account” being sent to a small number of our customers.

Our immediate investigation into the matter has shown that your email address was unfortunately one of those affected. That means that the intruder has got your email address only. NO other data has been compromised, i.e. no passwords or other account information was obtained. The security vulnerability was closed as soon as it was detected and any further unauthorized access was successfully prevented. This means that your Sedo account is safe, and you do not need to take any action to safeguard data stored in your account. Clicking on the link in the unauthorized email has no adverse effects.

Most likely, the intruder gained access to the Sedo web site, potentially as a user with elevated privileges. That gave them access to a set of tools that included the ability to initiate a “Welcome to Sedo” email, which they edited accordingly.

When one signs up for a new Sedo account, a confirmation email with the subject “Welcome to Sedo!” is sent out, as seen below:

Dear Mr. [firstname],
Thank you for registering with Sedo!

Please activate your free registration by clicking on this link:
http://www.sedo.com/confirm_account.php?challenge=[redacted]&language=e
(If clicking the link does not work, please try copying and pasting the entire link into a new browser window.)

Please note that before you can sell, buy or park domain names you need to complete Sedo’s free Member Certification process.
After you have activated your account you will automatically be redirected to Sedo’s Member Certification process.
http://www.sedo.com/member/membercert/index.php

Here’s a quick tip to get you started: What’s the number one thing you can do to improve your chances of selling a domain name?
Domain Parking! Sedo’s Domain Parking is the secret that lets the pros consistently sell more domains at higher prices than marketplace listings alone.
Even better, it’s FREE and takes only a few minutes to setup.

Learn how you can start earning more money with your domain names by following the link below:
http://www.sedo.com/services/parking.php3

For more tips on promoting your domain sale, please visit:
http://www.sedo.com/uk/sell-domains/overview/?tracked=&partnerid=&language=us

At Sedo, we strive to provide the best customer support in the domain industry.

Once your account is activated, we will send you a welcome email with some helpful tips and information to get you started.

If you have any questions, comments, or feedback, please do not hesitate to contact us at contact@sedo.com.

Once again, welcome to Sedo!
Best Regards,

Your Sedo Team

________________________________________________

Sedo.com :: 161 First Street :: Cambridge, MA 02142
tel 617-499-7200 :: fax 617-499-7219
http://www.sedo.com :: http://support.sedo.com

________________________:: make a name for yourself.

Confidentiality Statement:
This e-mail, including attachments, may include confidential and/or proprietary
information, and may be used only by the person or entity to which it is addressed. If the
reader of this e-mail is not the intended recipient or his or her authorized agent, the
reader is hereby notified that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the sender by replying
this message and delete this e-mail immediately.

As one can see, the real email differs a lot from the one sent on Saturday, which proves that the intruder customized the email that was sent out.

It must be noted that both the intruder’s emails and the valid Sedo email are sent from the same third party mailer, as mentioned in my previous post. Both emails share the same originating network and neighboring IP addresses.

In other words, the vulnerability that was exploited in order to mass-mail existing accounts, was most likely limited to the following:

• Access to an administrative tool at Sedo.
• Compilation of a custom email.
• Mass dispatching of email to existing accounts or a portion thereof.

The intruder could have done considerably larger damage, by including a phishing link into the custom email they compiled.

It is very possible, that the intruder wanted to raise awareness to an existing security hole by causing some minimal damage while getting attention for it. They could have also failed at maximizing the impact of their attempt to access user accounts.

At this time, there is no indication that any account info was compromised; while the hashed links sent in the Saturday email log users into their accounts, the links appear to have been dispatched individually to every user.

This glitch points the finger – potentially – at the third party being used for the generation of emails, as well.

It is a good idea, however, to change your Sedo password. In my opinion, the damage done is more or less limited to hurting Sedo’s reputation.

Regardless of what type of vulnerability patching Sedo performed since the incident, they must also alter the code that generates and authenticates the hashed links, as the existing links – when shared – do log one into an active Sedo account.