Allowing Domains or Accounts to Expire
Description
Through neglect an administrator may allow a domain name or e-mail account to expire. Domains have a significant grace period for expiration, and e-mail addresses using free services such as Yahoo may expire after several months of not logging in.
Risk Factors
- The biggest risk involved is if you have an e-mail server on a domain that is allowed to expire. The more users there are, the more personal information you are putting at risk when they use those e-mails as backup e-mails for accounts on websites. An attacker can simply purchase the domain and setup a mailserver. By analyzing the spam coming in, they can determine the actual usernames people used on the domain and possibly what services they used with those e-mails.
- Considering that, you should be careful only to use e-mails hosted on domains owned by companies that don’t show any sign of going under in the future.
- There is very little recourse if a malicious entity has purchased your domain. They can sell it back to you for however much money they want to charge. Even if you have grounds for a lawsuit, it can take months at least.
- If you have applications(especially no-longer supported) sending data to a domain, if an attacker buys the domain they can gather personal information from your users.
- Domains most likely to expire are those belonging to projects or companies that no longer exist.
Threat Model
| Asset | Threat | Impact |
|---|---|---|
| Expired Domain | Purchased by attacker | Intercept user emails |
| Old Email Address | Reclaimed by attacker | Reset linked accounts |
| Legacy App Endpoints | Still communicating with expired domain | Leak sensitive user or app data |
| Backup/Recovery Emails | Controlled by third parties post-expiry | Account takeover, identity theft |
Attackers often exploit these expired assets to:
- Monitor and harvest incoming mail (especially spam and password reset emails).
- Conduct phishing or social engineering using a trusted domain.
- Reverse-engineer platform usage and service connections of former users.
Ways to Prevent Domain and Email Expiry Risks
-
Track Domain and Email Expiration Dates Implement a centralized tracking system with automated alerts to monitor upcoming renewals and prevent accidental lapses.
-
Enable Auto-Renewal for Critical Services Configure auto-renewal for all essential domains and email services, ensuring a valid and up-to-date payment method is in place.
-
Avoid Free or Unreliable Email Providers For business-critical communications, use email accounts hosted on domains you control. Avoid free services (e.g., Yahoo, Hotmail) for any official or recovery-related use.
-
Use Stable, Owned Domains for Account Recovery Ensure account recovery emails (e.g., for social media, cloud platforms) are tied to institutional or long-term domains—not temporary or project-based ones.
-
Properly Decommission Legacy Applications Before retiring an application or domain, audit all dependencies and update configurations to prevent sensitive data from being sent to an attacker-controlled domain.
Related OWASP Topics
- OWASP Domain Protect Project
- OWASP Top 10: A05 – Security Misconfiguration
- OWASP Application Security Verification Standard (ASVS)
- Threat modeling methodologies such as STRIDE