How a Domain Name was Stolen on GoDaddy’s Afternic Platform

This is a story about how the domain SmartWP.com was stolen from me and my friend Ryan Robinson. I’d consider myself pretty savvy with web security and domain name registrar but had no idea what GoDaddy had in store for us.

TLDR; Don’t keep any domain of value on GoDaddy, I recommend using Cloudflare as a registrar.

Before I start I just want to preface that Afternic is a company owned by GoDaddy and is a domain name auction platform. I was unfamiliar with this site but it basically functions as GoDaddy auctions but off of GoDaddy. Domain names for sale on Afternic will also show up on GoDaddy auctions and various platforms.

In this post I’ll be going over a couple things:

• How I think the GoDaddy & Afternic domain sale system is broken.
• What to do if you receive a “Action required: Authorize your domain listings.” email.
• General visibility into how your domains can be vulnerable on GoDaddy.

Let’s start from the beginning with the “Action required: Authorize your domain listings.” email from Godaddy and Afternic. To be clear Afternic is owned by GoDaddy so I find this shocking how this system works on their end.

“Authorize your participation in Afternic.” Email

The SmartWP.com domain is in Ryan’s account so all of this happens through his GoDaddy account. We bought the domain in 2019 from GoDaddy auctions for $400.

March 3rd, 2022 Ryan forwards me an email with the subject “Action required: Authorize your domain listings.”. I’m used to getting hundreds of password reset emails or similar emails so nothing was that alarming to me. Typically companies will include a “I didn’t request this” button but this email didn’t have that so I just warned Ryan not to click anything and we’ll just ignore it.

My assumption was that if you don’t click authorize now it won’t authorize.

We were wrong about that assumption.

My second assumption was that if this authorization is approved Ryan would receive a second email.

We were also wrong about this.

We ignored the email (and received ZERO further emails mentioning Afternic).

Fast forward to July 2nd, 2022. I wanted to make a DNS change to SmartWP so I logged in via delegate access. This is where things got funny, I noticed SmartWP wasn’t in his account. Which I figured maybe he moved it or the GoDaddy UI was messed up.

So I sent Ryan a quick text to check if he moved the domain.

So he looked through his account, no indication that the SmartWP domain ever existed in it besides renewal bills he could see.

This is probably the part that made me the most angry, GoDaddy support clearly isn’t trained on this platform or integration. Why wouldn’t their first response be “oh you authorized a sale on X date so the domain sold”.

In the time that GoDaddy response was working to get back to us the person who stole the domain already sold it which is probably the craziest part.

If GoDaddy support had been trained for this we could have cancelled the auction before it ever sold.

This kind of blew our mind at this point, there is no way Ryan authorized this and he checked for any follow up emails.

This eventually lead us to give up and get SmartWP.co as a backup.

Later I’ll go over how we recovered the domain but first I want to go over what to do if you get this email from GoDaddy.

What to do if you get the “Action required: Authorize your domain listings.” email?

If you get an email from GoDaddy Authorize your participation in Afternic I highly recommend calling them right away. Of course don’t click anything in the email but you’ll want to call them and 100% confirm that this “integration” isn’t connecting to your account/domain.

I am convinced after you get this email an attacker is trying to social engineer GoDaddy support to authorize the domain from under you. I have check all of Ryan’s account logs for his email and GoDaddy account and see 0 suspicious logins.

How We Got the Domain Back

I’m not sure if everyone will be as lucky as we were. Ryan spent over 5 hours with support unable to resolve this until someone at GoDaddy saw his tweet and pushed it up to the office of the CEO.

So for most users I sadly don’t think this will be a path forward.

On July 8th Ryan make this tweet below after he realizes the domain is gone from his account. We also see that it’s on sale for $65,000 on Afternic.

Do I know anyone at @GoDaddy who can help me get back a domain that's been stolen from my acct?

The domain was:

1. Transferred out of my acct w/ spoofed authorization
2. Sold the DAY AFTER I contacted support

Doing a vid/post about this soon w/ @sup @GoDaddyHelp @GoDaddyPro

— Ryan Robinson (@TheRyanRobinson) July 8, 2022

Ryan got a bunch of useful leads from this email and eventually the director of education at GoDaddy reached out to him and pushed the issue up the chain.

After a few days we learned that the office of the CEO was dealing with the issue and we waited. They said they’d reach out on July 15th with details.

And just like that Ryan got an email saying the domain is in his account and a call from the CEO office. They weren’t able to give us any more details which I assume is to prevent a lawsuit but we’re happy with the outcome.

We spent 3 years building content and backlinks to the site so it would have been a shame to lose the domain.

Changes I’d Love to see GoDaddy Make

Here’s some feedback for GoDaddy about their Afternic platform. I came to these conclusions after I tried to list a domain using this integration so I could see the inner workings.

Basically ANYONE can signup for Afternic and list YOUR domain for sale. The tricky part come in with their “instant transfer” feature. If the seller (which doesn’t have to be connected to your GoDaddy account) opts into the instant transfer feature GoDaddy will send the authorization email noted above to the corresponding GoDaddy account.

This means you can in theory bulk spam people authorization emails in hopes that someone accidentally approves it. Worse I am assuming a scammer can call GoDaddy and convince them to authorize it.

Ideally they should simple remove Afternic from their products, they have an auction platform currently so I am not sure why it it even exists. Afternic is basically designed in a way to help scammers, the user who uses it to sell your domain can have a separate contact, separate payout, and completely different information from the domain holder’s account.

That being said here’s some small changes I think they can make to the Afternic authorization system that exists after testing how it works currently.

1. Send multiple emails for every step of the process. I tried authorizing this process on my end and it only send ONE email, the initial email listed above. There needs to be a “You Authorized Afternic” email that follows up the connection. This would give someone the change to realize something is happening to their domain.
2. Second the GoDaddy UI doesn’t note ANYTHING about Afternic. If you have a domain authorized for sale in Afternic your domain will still appear “locked” and not listed for sale on GoDaddy auctions. Meaning you won’t even know that your domain is for sale if you check your GoDaddy account frequently.
3. I would love if they had an audit log of approvals like this. After searching the UI there is no indication you approved such a thing, which is insane considering it basically hands your account over to anyone.

---

Thanks for reading! I really hope this doesn’t happen to others.

From my research for this I can tell this happens to others. As you may know DNS records can remain the same as domains are for sale. So most users won’t even know this is happening as their domain is sold out from under them.