As part of a large-scale privacy investigation, I have bought more than 100 domain names previously belonging to social welfare and justice institutions in Belgium. What I observed was unsettling.
In 2021 I was the victim of a burglary. The police asked me to send them the images from my camera. The policewoman called me back 3 times to tell me she hadn't received the film.
After checking, I realized that I had sent the e-mail to
I checked the WHOIS and policebelgium.eu had been anonymously registered. So they were victims of a magnificent typo-squatting.
I notified the police and secret services, but never received a reply. I checked many times afterwards, the domain had not been recovered by the Belgian state.
Great article! For for-profit companies/holders of domains in generic TLDs (.com, .net, .org, .whateverSomebodyPaidIANAFor, equivalents below ccTLDs) the only recourse is to continue paying for the domain (ideally also paying a DNS host to avoid non-use takeovers), but for governments using their own ccTLD there is no excuse. Many countries have the (possibly localized) equivalent of .gov.CountryCode that is closed to everybody but government entities that can justify a use for the domain in question.
Some people use dropbox accounts bound to email addresses they do not care. It is a way to avoid spam. Can you imagine that some of the dropbox accounts where you have performed a password reset were still actively used despite the email was invalid ? The owner can not longer recover their password and has lost access to their account because of you. Are you sure you are a responsible citizen ?
Did you read the entire article? He had disclosed clearly on the domain what was happening with that domain in aprticular with means to contact him directly to resolve any issues. I would say that is responsible.
Not to mention there are many alternative routes for that person to take in order to resolve the issue, such as simply contacting dropbox directly about the issue.
What you have described is a complete non-issue when compared to the damage this threat can *really* do when used by a bad actor. The awareness this brings as an attack vector outweighs the inconveniences possibly caused IMO.
Using a service like Dropbox without a valid email address is most likely against their TOS. I wouldn't be so indignant about mis-using services and then complaining when it breaks.
Goed werk weer π
Excellent research and examples! I will use these examples in the next IT-meeting at our company. Great work!
In 2021 I was the victim of a burglary. The police asked me to send them the images from my camera. The policewoman called me back 3 times to tell me she hadn't received the film.
After checking, I realized that I had sent the e-mail to
[email protected]
and not to
[email protected]
I checked the WHOIS and policebelgium.eu had been anonymously registered. So they were victims of a magnificent typo-squatting.
I notified the police and secret services, but never received a reply. I checked many times afterwards, the domain had not been recovered by the Belgian state.
Was policebelgium.eu one of your 107 domains?
Great article! For for-profit companies/holders of domains in generic TLDs (.com, .net, .org, .whateverSomebodyPaidIANAFor, equivalents below ccTLDs) the only recourse is to continue paying for the domain (ideally also paying a DNS host to avoid non-use takeovers), but for governments using their own ccTLD there is no excuse. Many countries have the (possibly localized) equivalent of .gov.CountryCode that is closed to everybody but government entities that can justify a use for the domain in question.
Some people use dropbox accounts bound to email addresses they do not care. It is a way to avoid spam. Can you imagine that some of the dropbox accounts where you have performed a password reset were still actively used despite the email was invalid ? The owner can not longer recover their password and has lost access to their account because of you. Are you sure you are a responsible citizen ?
Did you read the entire article? He had disclosed clearly on the domain what was happening with that domain in aprticular with means to contact him directly to resolve any issues. I would say that is responsible.
Not to mention there are many alternative routes for that person to take in order to resolve the issue, such as simply contacting dropbox directly about the issue.
What you have described is a complete non-issue when compared to the damage this threat can *really* do when used by a bad actor. The awareness this brings as an attack vector outweighs the inconveniences possibly caused IMO.
Using a service like Dropbox without a valid email address is most likely against their TOS. I wouldn't be so indignant about mis-using services and then complaining when it breaks.