Domainz scrambled last night to find and plug any further holes in its Web site after the emergence of a flaw that left its dealings with customers open to the world.
The database of the site, which processes all registrations under the .nz domain, was shut down for some time during the evening.
Domainz was alerted shortly before 1pm yesterday of a flaw in its site that exposed the Event Manager logs of its registrars - including the country's leading ISPs.
The Event Manager log lists changes and notes associated with the registrars, including names registered and cancelled on behalf of clients, correspondence and overdue accounts. Xtra's log runs to about 6.5Mb of text.
While it would be unlikely that a casual visitor would find the information, registrars needed only to change the four-digit customer ID at the end of the access URL to their own logs to look at their competitors' business. No authentication was required to open other companies' logs.
Domainz and its owner Isocnz became aware of the problem after a posting by 2Day.com managing director Peter Mott to the Isocnz mailing list yesterday, but some Internet companies have been aware of it for a least a week.
An employee at one company told IDGNet he discovered the hole when he went to bookmark a page while registering a domain name and noticed the customer ID. He provided IDGNet with another URL that suffered the same issue, but by this morning it was triggering an error message.
The discovery of the flaw will come as a blow to Domainz, which has reported to its board - which passed the assurance on to the Isocnz council - that the controversial $700,000 site developed by Advantage at Domainz' direction was now working 100%. The new registry system suffered a host of major and minor glitches through its first month of service, several of them security-related.
Domainz CEO Patrick O'Brien said the gap had been plugged immediately yesterday, but that he could not explain why the problem occurred.
"The validation rules are pretty much enforced throughout the system and we've investigated why that rule was not enforced there," said O'Brien. "There was a check missing and we put that check in. Wherever you go in the Web site, it's saying who are you and what's your password? For some reason it didn't enforce that check at that point."