All,
Owners of SWITCH nic.ch registered are receiving these days their annual
"Payment information for domain names" ("Zahlungsinformation f�r
Domain-Namen") again.
As a courtesy to the user there is a link supplied to allow a direct payment
by credit card, e.g.
https://nic.switch.ch/reg/epay.cfm?userid=123456&key=m3Ydfdrcf4mm3uEYx
(hehe, modified...) in a clear text message. I see this is a very nice
service - and I don't hesitate if anyone else grabs the link from the mail
and pays the invoice.
But the downside: At the end of the page there is a link to "Options" -
directly pointing to the page where new names can be registered, domains to
be transferred to other customers or change the password - WITHOUT ever
asking the user for his password more or less ensuring he is the appropriate
person for such tasks.
I consider this a MAJOR security breach. This has been repeatedly reported
to nic.ch - including their legal and compliance department (SWITCH security
responsible) - over the last 12 months:
Official answer: "We can not understand your problem." Not even a sorry, or
a thank you. They promised looking for it - but nothing changed again.
SWITCH - nic.ch - a ignorant and stupid organization.
Beside flames: What are your thoughts? Something for a follow-up by our new
friends from Berne?
-Kurt.
PS. Spying nic.ch passwords is not required at all ;-))
----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/
