Verifying domain name ownership
I got a nice shout-out on TechCrunch today for discovering an issue with the new Kindle Publisher program. The vulnerability allowed anyone to claim a blog as their own and take advantage of the 30% rev-share that Amazon offers on their $1.99 subscription fee. Erick Schonfeld did a nice job covering the issue and explaining the implications of the hack. You can read about it on the TechCrunch article.
The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name. I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong — especially when there is a large audience and money to be gained.
For those who are interested in the best way to do domain name ownership (ahem, Amazon) Google would be a great role model for you to follow. There is a nice explanation on how Google’s domain verification process works on their help pages:
To verify that you own a site, you can either add a meta tag to your home page (proving that you have access to the source files), or upload an HTML file with the name you specify to your server (proving that you have access to the server).
Each verification method has its advantages. Verifying using a meta tag is ideal if you aren’t able to upload a file to your server. If you have direct access to your server, you may find it easier and faster to upload an HTML file.
Amazon would do well to follow Google’s lead.