“If [the attackers] wanted to be slick about it, they could gain access, insert their code, create backdoor admin accounts, and return access back to the original owner before they even knew what had happened. The owner would receive the confirmation email, see that their website is still online, and consider it a Phishing attack and just delete it,” Mr. Troia said.
GoDaddy isn’t the only major domain registrar to use photo ID as a last resort. Network Solutions also has an ID-based verification, but unlike GoDaddy, the ID and required documents must be faxed over, instead of uploaded. Interestingly enough, one domain registrar, Hover.com, doesn’t allow photo ID as a form of verification, because “anyone could just whip something up in Photoshop.
“Using GoDaddy’s DomainControl and privacy features, which are offered as a value-added service for an additional cost, would only slow a determined attacker. While the public can’t see the registration details, the support staff can. So an attacker armed with public information could abuse the change of account form.
Mr. Troia hopes that by exposing the logic flaw in their security model, GoDaddy will implement tougher verification procedures, but admits it’s a paradoxical situation. A valid government-issued ID should be an acceptable form of verification, but it’s clearly not enough.