Last week we sent an email to all Enom resellers who have a .UK domain in their account letting them know that we had identified and patched a vulnerability issue that allowed for zero-confirmation first-level .UK domain transfers between Enom reseller accounts. It’s important to note that second-level .UK domains such as .co.uk and .org.uk were never affected. The patch consisted of disallowing our system from auto approving inter-account domain transfer requests for first-level .UK domains forcing transfers to go through the proper FOA process. Today we deployed a permanent fix that fully resolves the issue.
The issue was first brought to Enom’s attention by an Enom reseller and the m group security advisory team. Due to a series of internal miscommunications, the issue was not escalated correctly and the update required to correct the issue took longer than we would have expected. We are currently doing our due diligence to understand what happened, why it happened, and why the proper escalation procedure was not followed. We do not take any of these issues lightly and we’ll take the necessary steps to improve our internal escalation process immediately.
Please note that no other TLDs were impacted. The .UK domains in your Enom account are not at risk and no action is required on your part.
If you have any concerns, please contact support at firstname.lastname@example.org