"If [the attackers] wanted to be slick about it, they could gain access, insert their code, create backdoor admin accounts, and return access back to the original owner before they even knew what had happened. The owner would receive the confirmation email, see that their website is still online, and consider it a Phishing attack and just delete it," Mr. Troia said.
GoDaddy isn't the only major domain registrar to use photo ID as a last resort. Network Solutions also has an ID-based verification, but unlike GoDaddy, the ID and required documents must be faxed over, instead of uploaded. Interestingly enough, one domain registrar, Hover.com, doesn't allow photo ID as a form of verification, because "anyone could just whip something up in Photoshop."
Using GoDaddy's DomainControl and privacy features, which are offered as a value-added service for an additional cost, would only slow a determined attacker. While the public can't see the registration details, the support staff can. So an attacker armed with public information could abuse the change of account form.
Mr. Troia hopes that by exposing the logic flaw in their security model, GoDaddy will implement tougher verification procedures, but admits it's a paradoxical situation. A valid government-issued ID should be an acceptable form of verification, but it's clearly not enough.
Two-factor authentication isn't viable either, he said, because if someone hijacks the domain and enables that protection after the fact, then the customer would be left with few options for reacquiring access to the domain.
"The reality is that if I register a domain, I should have some idea of what credit card was used to pay. In your case, the domain was registered a few days ago, so it's not as if I would have no record of it. I could have pulled up my bank statement and gotten the last four digits," he said.
"This [change of account form] probably exists to help the customer gain access to their domain in the event of an issue, but we have clearly shown that there isn't enough security to protect the customer from having their domains stolen."
GoDaddy did attempt to contact me via email and inform me of the registration changes, including the new DNS settings that Mr. Troia applied to a domain recently purchased for this story.
Unfortunately, that email came long after he had reset the account password. A follow-up email didn't arrive until nine hours later. If this attack had been real, it would have been too late. The domain where the GoDaddy warning was sent is on the same account that was compromised.
So what can consumers and organizations do to protect themselves from this type of attack?
Sign up for CIO Asia eNewsletters.