{"id":3945,"date":"2014-04-14T14:12:14","date_gmt":"2014-04-14T18:12:14","guid":{"rendered":"http:\/\/acro.net\/blog\/?p=3945"},"modified":"2014-04-14T14:31:47","modified_gmt":"2014-04-14T18:31:47","slug":"what-is-at-stake-after-the-sedo-intrusion-incident","status":"publish","type":"post","link":"https:\/\/acro.net\/blog\/what-is-at-stake-after-the-sedo-intrusion-incident\/","title":{"rendered":"What is at stake after the Sedo intrusion incident"},"content":{"rendered":"

On Saturday, I reported a potential glitch at Sedo<\/strong><\/a> that might have generated emails sent to existing users, asking them to confirm their accounts.<\/p>\n

Today, Sedo announced in an email, that the welcome email was the result of an intruder to the Sedo web site.<\/p>\n

The notification email from Sedo reads in part:<\/p>\n

We wish to inform you that on Saturday, 12th April, the Sedo website was compromised by an unknown intruder through a previously unknown security loophole. This resulted in an unauthorized email with the subject \u201cConfirm your Sedo Account” being sent to a small number of our customers.<\/em><\/p>\n

Our immediate investigation into the matter has shown that your email address was unfortunately one of those affected. That means that the intruder has got your email address only. NO other data has been compromised, i.e. no passwords or other account information was obtained.<\/strong> The security vulnerability was closed as soon as it was detected and any further unauthorized access was successfully prevented. This means that your Sedo account is safe, and you do not need to take any action to safeguard data stored in your account. Clicking on the link in the unauthorized email has no adverse effects.<\/em><\/p><\/blockquote>\n

Most likely, the intruder gained access to the Sedo web site, potentially as a user with elevated privileges. That gave them access to a set of tools that included the ability to initiate a “Welcome to Sedo” email, which they edited accordingly.<\/p>\n

When one signs up for a new Sedo account, a confirmation email with the subject “Welcome to Sedo!” is sent out, as seen below:<\/p>\n

Dear Mr. [firstname],
\nThank you for registering with Sedo!<\/p>\n

Please activate your free registration by clicking on this link:
\nhttp:\/\/www.sedo.com\/confirm_account.php?challenge=[redacted]&language=e
\n(If clicking the link does not work, please try copying and pasting the entire link into a new browser window.)<\/p>\n

Please note that before you can sell, buy or park domain names you need to complete Sedo’s free Member Certification process.
\nAfter you have activated your account you will automatically be redirected to Sedo’s Member Certification process.
\nhttp:\/\/www.sedo.com\/member\/membercert\/index.php<\/p>\n

Here’s a quick tip to get you started: What’s the number one thing you can do to improve your chances of selling a domain name?
\nDomain Parking! Sedo’s Domain Parking is the secret that lets the pros consistently sell more domains at higher prices than marketplace listings alone.
\nEven better, it’s FREE and takes only a few minutes to setup.<\/p>\n

Learn how you can start earning more money with your domain names by following the link below:
\nhttp:\/\/www.sedo.com\/services\/parking.php3<\/p>\n

For more tips on promoting your domain sale, please visit:
\nhttp:\/\/www.sedo.com\/uk\/sell-domains\/overview\/?tracked=&partnerid=&language=us<\/p>\n

At Sedo, we strive to provide the best customer support in the domain industry.<\/p>\n

Once your account is activated, we will send you a welcome email with some helpful tips and information to get you started.<\/p>\n

If you have any questions, comments, or feedback, please do not hesitate to contact us at contact@sedo.com.<\/p>\n

Once again, welcome to Sedo!
\nBest Regards,<\/p>\n

Your Sedo Team<\/p>\n

________________________________________________<\/p>\n

Sedo.com :: 161 First Street :: Cambridge, MA 02142
\ntel 617-499-7200 :: fax 617-499-7219
\nhttp:\/\/www.sedo.com :: http:\/\/support.sedo.com<\/p>\n

________________________:: make a name for yourself.<\/p>\n

Confidentiality Statement:
\nThis e-mail, including attachments, may include confidential and\/or proprietary
\ninformation, and may be used only by the person or entity to which it is addressed. If the
\nreader of this e-mail is not the intended recipient or his or her authorized agent, the
\nreader is hereby notified that any dissemination, distribution or copying of this e-mail is
\nprohibited. If you have received this e-mail in error, please notify the sender by replying
\nthis message and delete this e-mail immediately.<\/p><\/blockquote>\n

As one can see, the real email differs a lot from the one sent on Saturday, which proves that the intruder customized the email<\/strong> that was sent out.<\/p>\n

It must be noted that both the intruder’s emails and the valid Sedo email are sent from the same third party mailer, as mentioned in my previous post<\/strong><\/a>. Both emails share the same originating network and neighboring IP addresses.<\/p>\n

In other words, the vulnerability that was exploited in order to mass-mail existing accounts, was most likely limited<\/strong> to the following:<\/p>\n