Ars Technica’s security primer on the @N highjacking is a must-read. Excellent reporting, Lee Hutchinson.
But there are two things that bug me about the whole affair, and one really nags, and I haven’t seen it mentioned in the dozen different stories I took time to read.
The first: Doesn’t GoDaddy use account numbers as identifiers? As such, wouldn’t the impersonator need this number and the new password to get into the account to hijack it? Isn’t that number more important than the last four or six credit card digits?
That raises another question: If not, does GoDaddy just give out a new password over the phone rather than sending to the email address of record, which the impersonator didn’t have, presumably?
The second: Naoki Hiroshima’s response to this whole affair is to recommend Gmail over a domain you possess. But what happens should someone gain control over your Gmail account? Last I checked, Chrome sync keeps passwords on all devices, and there is no additional security preventing anyone with account credentials from viewing them all.
That is if they use Chrome. So the hacker could access all passwords to all your sites, just by getting control of the Gmail account. Or has Google recently changed this feature, and I’m just not informed?
Comments anyone?