Hey Chuck :) This is an interesting scenario, but likely rare. The reseller should perform some form of due diligence before sending any access credentials (and only you can "click" that link, or allow it to be clicked through the API - and even then, only for your domains).
This was announced, and there are also release notes on the issue. It may not have been as clear as it could have been (apologies) <snip> **Registrant as well as Admin Contact can be e-mailed the user/name and password. At the Reseller's discretion, the Registrant as well as the Admin Contact for a domain name can be e-mailed the user name and password. Resellers may enable this functionality via the RWI or an API call. and http://releasenotes.resellers.tucows.com/mrDec02 </snip> Cheers :) Charles Daminato OpenSRS Product Manager Tucows Inc. - [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Hatcher > Sent: December 13, 2002 10:12 AM > To: [EMAIL PROTECTED] > Subject: Sending login information to Owner contact... > > > Here's another change that took me by surprise: > > In the RWI we now have the option to send the username/password > to the owner > contact. > > I don't disagree that the owner contact has the right to modify the > registration record. After all they are the owner. But this change could > have unintended security consequences. > > Assume, for example, that party A is the admin contact for, but not the > reseller for, domain names owned by parties B and C. For easier > management, > party A has put the domain names in the same profile. In the > past this was > somewhat safe because only the admin contact could obtain the username and > password. Now, assume party B contacts the reseller listed in > the whois to > obtain the username and password for his domain, and the reseller sends it > to him. He logs in, and now can modify party C's domain name. > > This scenario could easily be prevented if party A knew it wasn't safe to > combine domain names of different owners into the same profile. But the > fact that this is a new change to the way things have been done > in the past > means party A may never find out about it. > > There are two points to my post: > > 1. Resellers, be aware of the change and take appropriate precautions, and > > 2. Where are all these unannounced changes coming from? Let us know when > you change something, okay? (I'll apologize if you did and I just missed > it.) > >
