Well kind of as last night I had successfully been able to add following domains to my PKNIC (Pee-Kay NIC) domain panel.
This was not a “hack attack”. This was a very spontaneous act carried in good faith after seeing the authorization code bug on their site. I have not done any harm to any of the sites above. I just wanted to record this bug and brought this up all in public for the greater interest of whole Internet community of Pakistan to help make PKNIC improve their domain registration system and quality of service.
I could have changed anything from registrar/billing/technical information to DNS entries.
Should I have just changed their DNS to point them all to my site?
Well, even a small change in the DNS could have rendered any top Pakistani site, out of sight (and out of business) for at least 72 hours (due to double propagation delay involved) and sure, it could have become a real nightmare for PKNIC but I think I am a nice guy to deal with (Please pay me thanks by may be having my full size picture (with a caption of “ba’a-baa’ay Internet Pakistan :D) on the first page of your site for at least a few days or I wont mind an exclusive interview for your site as well.)
A few more screen shots of zong.com.pk site edit page and google.com.pk whois results. (Telenor and Zong should have given me life time of free air time. heheh)
These screen shots itself speak volumes about the responsibility PKNIC assumes in handling this domain business. Looked like, some nice coder out there at PKNIC had been messing with the live site and had the debug code (may be) on. So when I hit the submit button to get my new authorization code I was surprised to see it on the very top of the site. I immidiately checked my email and there was it. The same code. With fingers crossed I tried to import my domain name and yep. It was imported. I tried to generate a new code and I was given the information that it has already been imported and you should contact the person who has imported it. Imagine if you have to contact Mr. X or PKNIC to get your domain back?!?
They have now taken care of the bug by removing the SQL “SET” query display which contained the authorization code when you tried to generate a new one. They also have moved back all the domains to their previous owners/agents so I don’t see none of these domains anymore in my account.
You can imagine the possibilities (or may not like to imagine them at all) of your domain control being transfered to some crack head to play some domain peek-a-boo with your visitors. But the point is should we let them easily get away with this nonsense? When, if we all try, this event can really become an eye opener for them (Pee-Kay-NIC) and we may very well start seeing some professionalism from our “beloved” Pee-Kay-NIC.
Please feel free to leave some comments on how can we use these evidences for better domain registration/maintenance services in Pakistan.
Update: PKNIC said it was a “minor” bug.
Well, this is the excerpt taken from Telecom Grid where PKNIC has replied to Mr. shehzad Atif.
|“The problem reported is completely exaggerated and misreported. There was NEVER any change of domain ownership or capability of any domain DNS modification for the few reported domains. The minor problem of sandbox test code leftover resulted in the display of some domains with outside user names (and billing contacts) attached for a few hours. We will send you the complete statement about this, and how safe PKNIC domain ownership and DNS records are. Even a genuine user or the domain owner himself can not change the domain ownership record without written authorization, let alone a fake user that is only there for the display sandbox for a few hours.”|
As usual they are trying to get away by saying that it was a “minor bug” and I had not have the access to modify anything.Well, I guess, I owe a reply to this answer to let you guys know what exactly has happened that night in a bit more detail.The first time I checked the edit registrar details for jang.com.pk, I could go into the next page where you modify the details and change the email address along with all other info. For a few minutes, I did think of changing the email address just to prove that I could do this change but I realized that it may not be appropriate to do so I passed on this.
Then I went to the DNS area, and I had the access to assign new DNS to these domains.
Then I had to attend the great “Wapda Show” for full one hour. When that ended, I checked again, I still had all those domains in my panel but the bug was fixed by then. I noticed another change in the “edit” link to change registrar info that an AJAX powered pop-up now appears and ask for a written authorization to change these details. Till that time, I still could change the DNS settings. I was very confused on what to do now and then gathered some courage and made up my mind to make it public. I made the screen shots, wrote the last blog post, sent it to a few friends and went to sleep as it was late at night. On morning, when I woke up, all of the domains were moved back to their last state.
I seriously wish, I could have video taped all these acts.
A few questions to PKNIC are,
– What if those domains were not belonged to some giant companies, would they have taken the same speedy action they took in this case?
– YOU are PKNIC, come on! a lot of people in Pakistan has put their future in your hands. They have invested huge sums in a domain name managed by you. Even if that was a “minor” bug to you, why, WHY it did happen in the first place? If you can slip this one away, it is quite possible that we may see even worst leakage in future as long as you are not taking full responsibility of this business.
I would really like to help make the system as secure as possible and would be delighted to have your comments/replies over here so we may sort things out for the greater interest of domain owners and Internet users of Pakistan.