NameCheap has said it intends to notify customers of a misconfiguration issue that allowed customers to create subdomains for any hosted account.

Richard Kirkendall, CEO for the ICANN-accredited registrar, said on Twitter that the company is currently conducting an audit and plans on “contacting any affected customers directly” following the discovery of a misconfiguration issue on its nameservers. He went on to say that NameCheap has implemented a fix and that it’s a “high priority” for the enterprise to inform customers of what happened.

The issue first came to light on 5 February when NameCheap customer Kirk McElhearn received an email from Google warning him that it appeared someone had hacked a few of his subdomains.

A screenshot of the email received by McElhearn from Google. (Source:

Concerned, McElhearn checked Cpanel to see if anyone had hacked into his account. He didn’t find any new subdomains, including the ones Google told him about in its email.

After changing his password for safe measure, McElhearn contacted NameCheap. The registrar looked into the matter and told McElhearn it had detected a misconfiguration issue on one of its nameservers. Essentially, another customer of NameCheap had abused the weakness to add the sudomains for to their own hosting account.

That’s not all the flaw allowed, however. As McElhearn explains in a blog post:

Even though I have SSL on my website – meaning that it uses https instead of http in its URL – and any incoming traffic to ht​tp:// is automatically redirected to the https version of the site, the sub-domains were parsed by name servers before they reached my site’s server, so they weren’t redirected.

From those unprotected pages, unauthorized actors could capitalize on the prominence of another customer’s website like McElhearn’s to distribute spam and (Read more...)