300 UK domains pilfered, massive security lapse blamed
What appears to be a glaringly obvious security hole has been blamed for the snatching of 300 domains hosted by one web-hosting firm last year, The Reg has discovered.
A source told El Reg that anyone with a hosting package from 123-Reg, and hence an account control panel, simply had to change the final section of the URL manually (to, for example, /someoneelseswebsite.co.uk) to be able to gain access to another site's emails, name servers and billing.
With access to the admin panel, would-be domain thieves just had to change the contact details for UK registry Nominet to a new email address and then do a failed password request to have a new password sent to the new email address, locking the original owner out, our source claimed.