The latest misfortune to befall the new Domainz Registry System has seen name holders emailed passwords giving them access to all domain names managed by their ISPs.
A warning about the security flaw was raised by one of six affected registrars (organisations managing multiple domain names, as defined by Domainz) on mailing lists around 10am yesterday.
It was officially acknowledged by Andrew Jamieson of Domainz' developer Advantage Group, around 1pm, in an urgent email advising registrars to "change their user passwords and the passwords for their staff using the DRS system immediately. "
Internet consultant Joe Abley, who participated in registrar testing of the new system, says the problem was actually identified and reported some time ago "and just never actioned".
The affected registrars have modified or registered domain names in the past week using the automated email templates in the new system. Domainz urged registrars to use the email templates when the Web part of the registry system was down between Thursday afternoon and Friday morning.
The problem occurred when a confirmation email of changes or new registrations was carbon-copied to the name holder by Domainz. The confirmation emailed to the name holder included the original template, which contained both the login and password of the registrar itself.
Jamieson said in a posting to the Isocnz public list that "due to my oversight, a copy of the name application emails on which the
application was originated has been sent to the name holder concerned. Where the non-encrypt option was used for these transmissions, the name holder would have been able to see the registrar ID and password.
"As soon as we became aware of the problem we immediately ceased the issue of copy applications to name holders. We acknowledge this is an issue that should not have arisen and we deeply regret it. We have done all possible to rectify the problem immediately."
The Isocnz council's technical committee meets today to discuss problems with the system built by its registry. In a public posting, council chairman Peter Dengate Thrush acknowledged the frustration the problems had caused and asked for "a little more patience".
On the positive side, Dengate Thrush said "registrars are starting to come in with compliments, and processes which were previously convoluted and lengthy are now being executed in a fraction of the time - and with much less potential for error. I gather that errors and bugs are being attended to within hours of discovery, and am aware that herculean efforts have been made by Domainz
and Glazier staff."