According to a posting in DnForum.com today, there is a glitch in Sedo system that is placing domains not owned by a particular customer into its account thereby allowing the customer to edit the listings for domains they don’t own.
The customer of Sedo apparently logged into his account and found domain he didn’t own listed.
He successful attempted to change the price of one of the domain names that he didn’t own that was listed in his account lowering the price from $6,000 to $100 and then bought the domain.
The customer then contacted Sedo and had a detailed conversation with them, which he posted on DNForum.com under the title
“”Sedo allows ME to edit YOUR listings. Yes, really!””
The customer that posted this on DNForum is the one who alerted us to the situation which sounds quite alarming and everyone should be on the lookout for similar errors.
The same customer posted the conversation on Namepros.com as well.
Here is the post of the conversation:
This morning I logged in to sedo and was surprised to notice that I had access to somebody ELSE’s domain listings in addition to some of my own.
While sedo was in the middle of assuring me that these were only “pending listings”, I changed the price of Ability.info (not my domain) from over $6,000 to just $100 and proceeded to buy it. However, since Ability.info was “mine” (it isn’t, remember), Sedo wouldn’t allow the transaction to proceed. Sedo didn’t seem to understand why this would be a problem. Perhaps you’d like to buy Ability.info for 1/60th the price set by its rightful owner and educate Sedo about why this matters.
Meanwhile, who knows who can edit my listings or yours.
Below is my complete conversation with Sedo from just minutes ago. I’ve changed the individual’s names and nothing else:
Sedo Employee: Hi, my name is Sedo Employee. How may I help you?
Me Myself and I: By firing somebody. I don’t know who yet.
Sedo Employee: Hello
Me Myself and I: I just logged into my account and found that I have control of somebody ELSE’S domains.
Sedo Employee: Okay, just one moment
Me Myself and I: Some of mine are there.
Me Myself and I: But many domains belong to some other person.
Sedo Employee: okay, have you recently updated your domain list?
Sedo Employee: these domains may be pending verification
Me Myself and I: I sent Sedo a bulk upload spreadsheet in January … which you guys are still trying to figure out.
Sedo Employee: just one moment
Me Myself and I: It hasn’t been processed yet, to my knowledge.
Me Myself and I: I cannot verify that all of my domains are present in my own account.
Me Myself and I: For all I know, somebody ELSE is now in control of my domain listings.
Sedo Employee: Just one moment, I’ve sent a message to our security and compliance department
Sedo Employee: domains can only be listed in one account at a time, so if the domains are listed in your account, they cannot be listed elsewhere
Me Myself and I: I also sent an email to Mr. So-And-So (my contact at Sedo) a few minutes ago.
Me Myself and I: Not according to what I see. I found numerous domains from somebody else’s account in my “My Domains” tab.
Me Myself and I: And the total number of domains in my account is now less than it was before.
Me Myself and I: So some of mine have gone missing.
Sedo Employee: okay, I can also check with your account manager
Sedo Employee: do you have an up to date Excel file that you could send us? That way we can make sure all your domains remain listed
Me Myself and I: The one I sent around January 30 is close enough to up to date.
Me Myself and I: I’ve sent it twice, I believe.
Sedo Employee: okay
Sedo Employee: I’ve had our security and compliance department reject some, have you received emails to your gmail account?
Sedo Employee: I want to make sure you’re not going to receive multiple emails
Me Myself and I: Yes, there are emails coming in.
Sedo Employee: okay, how many?
Me Myself and I: 10 at this point.
Sedo Employee: okay
Me Myself and I: These aren’t mine:
Me Myself and I: inspiredpress.com
landscapingcatalog.com
loveconcepts.com
aag.info
4x4adventuretours.com
401kplans.info
ability.info
abnormaldesigns.com
abilityfitness.com
1031exchange.info
21k.info
accepted.info
academicsmart.com
accentbydesign.com
abnormalphotography.com
academicsoftware.info
academicscholarships.info
absurd.info
actingschool.info
activeatlanta.com
acidphotography.com
accidentinjurylaw.info
accidentinjurylawyer.info
accomplish.info
accountspayable.info
activeextreme.com
activebodynutrition.com
activeencounters.com
activeboston.com
activedetection.com
activedallas.com
activecatering.com
activelasvegas.com
activelifecoach.com
activehonolulu.com
activefitnesstraining.com
activeinvestigations.com
activelounge.com
activeintervention.com
activemiami.com
activesingles.info
activesinglesclub.com
activesanfrancisco.com
activeneighbors.com
activeoutpost.com
activereferrals.com
activeworkout.com
Me Myself and I: I have no idea where they came from.
Me Myself and I: There may be others that aren’t mine apart from that list, but these are easily identifiable because they’re Fixed Price; and all mine were Make An Offer.
Sedo Employee: yes, you can disregard that
Me Myself and I: Sedo now has 6653 listings in my account–which include the domains that aren’t mine. I should have around 8000, give or take.
Sedo Employee: yes, we can make sure none of those get added to your account, but you will likely receive emails notifying you that they were declined
Sedo Employee: the domains you see are pending, which means that they are not actually added to your account unless we approve them, which we won’t
Sedo Employee: since this is a technical issue, we’re going to have them removed manually so that you don’t have to receive emails for these domains that do not belong to you
Sedo Employee: I wanted to see if you were receiving the emails about it. since you shouldn’t be, our tech team can likely have them removed
Me Myself and I: Is this a glitch associated with the bulk upload spreadsheet being processed? Or has that bulk upload not begun yet?
Sedo Employee: Either way, none of these domains will actually be added to your account
Sedo Employee: yes, it looks like a technical issue. We will get it straightened out ASAP
Me Myself and I: But why would they ever be added to my account? I certainly didn’t include them in my spreadsheet.
Me Myself and I: Presumably, these were the domains that Mr. So-And-So kept referring to as belonging to someone else–which postponed my spreadsheet’s being processed.
Me Myself and I: And presumably these domains have been delayed for their rightful owner too.
Sedo Employee: Yeah, I will check with Mr. So-And-So and make sure everything is good to go, but no domains should be taken out or put into another account
Sedo Employee: our Security and compliance department manually reviews any domains being transferred into other accounts
Sedo Employee: I’ve spoken with them to make sure everything is being taken care of
Me Myself and I: Can you tell whether a bulk upload spreadsheet has been processed or not for this account in the last day or so?
Sedo Employee: i can’t confirm that. I did see one from February 2nd
Me Myself and I: The spreadsheet was not processed on February 2nd because no changes have appeared in my account.
Me Myself and I: –Until this change, that is.
Sedo Employee: okay, well I’ve notified Mr. So-And-So that we’re having our tech team work on this issue
Sedo Employee: so he should be able to give you an update once we sort it out
Me Myself and I: I understand that you’re hinting that the matter is resolved. But from my perspective, I don’t know that I can trust Sedo to keep other people’s domains out of my account or to keep my domain listings in my own. And I don’t even know how the wires got crossed.
Me Myself and I: It’s bad enough that it takes over 1 month to update those listings. But at least I thought they’d stay put!
Sedo Employee: we do have a process that we have to manually verify the domains before they are listed. This is to make sure the listing process is secure.
Me Myself and I: Yes, I understand that. Sedo has manually rejected a lot of domains that I own for inexplicable reasons; so I’m familiar with domains being rejected. But, like you said earlier, domains can only be in 1 account at a time. So while this guy’s domains are “Pending Review” in my account, they’re not active in his. And vice versa, probably.
Me Myself and I: Let me ask a simple question:
Me Myself and I: Who put this guy’s domains in my account?
Me Myself and I: It’s nice that Sedo would have rejected them. But why should Sedo have to?
Me Myself and I: Let me ask another simple question:
Me Myself and I: What prevents somebody from putting my domains in somebody else’s account?
Sedo Employee: well they would still be active in the other user’s account
Me Myself and I: Granted, they’d be rejected on Whois reasons …
Sedo Employee: unless they were newly added domains, in which case those are separately checked as they have not been added before
Me Myself and I: I saw price settings for his domains. Are you telling me that I could not have edited those settings?
Sedo Employee: the checking process we have ensures that you cannot put domains into somebody else’s account
Me Myself and I: His domains seemed to be in my account. What would have happened if I’d lowered his prices? Nothing?
Communication with the RightNow Chat service has been lost. Please wait while attempts are made to restore the connection.
Disconnection in 240 seconds.
Connection resumed.
Sedo Employee: yes, they should not be listed for sale while pending verification
Sedo Employee: and any changes to the pricing information would be removed once the domains were checked and not added to the account
Sedo Employee: if you look in the “Sales Settings” tab, the domains pending verification shouldn’t even be listed there
Me Myself and I: Do you suppose there’s any connection between the month-long wait and the mis-handling of domains? Criss-crossing them between different people’s accounts? After all, “they should not be listed for sale while pending verification”; and this would cause them to pend and pend and pend.
Sedo Employee: I’ll have to check with one of the account managers
Sedo Employee: if you’ve ever experienced a month long wait for domains to be added, please let us know and we’ll make sure that it gets expedited
Me Myself and I: Your last statement is incorrect. I just went to the “sales Settings” tab.
Me Myself and I: There I see multiple domains that aren’t mine.
Me Myself and I: For example, Ability.info is listed at $4997. I’m going to change it.
Me Myself and I: It is now for sale at $100.
Sedo Employee: okay, just one moment, I can check
Me Myself and I: Too late.
Me Myself and I: I just bought it.
File attachment upload has started.
The file Sedo Incompetence.tiff (53.23KB) was received.
Me Myself and I: So here’s the situation.
Me Myself and I: Ability.info is SOMEBODY ELSE’S domain.
Me Myself and I: It’s in my account.
Me Myself and I: I lowered the price on Sedo.
Me Myself and I: The lowered price is reflected for everybody to see.
Me Myself and I: I bought the domain.
Me Myself and I: Fortunately for Sedo, I can’t continue the transaction because Sedo claims this domain (which isn’t mine) IS mine.
Me Myself and I: And I’m not allowed to buy “my own domain”.
Me Myself and I: But I can lower all these prices.
Sedo Employee: are there multiple other domains listed in the account?
Me Myself and I: Then I can call my buddy.
Me Myself and I: And he can buy them all
Me Myself and I: And transfer them to me.
Me Myself and I: This way, I effectively have robbed the rightful owner of 20-30 domains in his portfolio.
Sedo Employee: I understand the issue, I’m trying to assist
Me Myself and I: Sedo has a VERY BIG problem
Sedo Employee: also, please keep in mind, you cannot transfer the domain names unless you are the owner at the registrar
Sedo Employee: Sedo is not a registrar, so the domains are only listed with us
Me Myself and I: Well, I’m not actually trying to steal.
Me Myself and I: But Sedo is a listing service.
Sedo Employee: yes, but no one can sell a domain that they do not own, because they do not technically have control of it. They cannot edit the DNS, and they cannot initiate a transfer at the registrar
Me Myself and I: And I think I’ve demonstrated that–as a listing service–things couldn’t be worse, in this case.
Sedo Employee: but I understand that this is an issue and our technical team is certainly working to fix it
Me Myself and I: What happens when the real owner of Ability.info gets an email from Sedo saying that he’s just sold the domain for $100 when he thought he had it listed for around $6000?
Me Myself and I: Does he remain a customer?
Me Myself and I: Granted, the domain won’t actually be transferred because he has control at the registrar.
Sedo Employee: how many other domains are listed in the account in the sales settings section, that you do not own?
Me Myself and I: It’s the same list that I quoted above. Lots of “A” domains.
Sedo Employee: I want to make sure that the technical team has the full list
Me Myself and I: There may be others, as I’ve said; but those leap out because they are Fixed Price listings.
Me Myself and I: landscapingcatalog.com
loveconcepts.com
aag.info
4x4adventuretours.com
401kplans.info
ability.info
abnormaldesigns.com
abilityfitness.com
1031exchange.info
21k.info
accepted.info
academicsmart.com
accentbydesign.com
abnormalphotography.com
academicsoftware.info
academicscholarships.info
absurd.info
actingschool.info
activeatlanta.com
acidphotography.com
accidentinjurylaw.info
accidentinjurylawyer.info
accomplish.info
accountspayable.info
activeextreme.com
activebodynutrition.com
activeencounters.com
activeboston.com
activedetection.com
activedallas.com
activecatering.com
activelasvegas.com
activelifecoach.com
activehonolulu.com
activefitnesstraining.com
activeinvestigations.com
activelounge.com
activeintervention.com
activemiami.com
activesingles.info
activesinglesclub.com
activesanfrancisco.com
activeneighbors.com
activeoutpost.com
activereferrals.com
activeworkout.com
Me Myself and I: So my question from before remains:
Me Myself and I: If I can alter this other person’s sales listings, then what prevents him from editing MY sales settings?
Me Myself and I: That’s the real trust issue.
Me Myself and I: Sedo can stick some other guy’s domains in my account and tell me it’s alright because they’re not real.
Communication with the RightNow Chat service has been lost. Please wait while attempts are made to restore the connection.
Disconnection in 240 seconds.
Disconnection in 120 seconds.
Connection resumed.
Sedo Employee: this issue is related to a technical issue and your listings would not be editable
Me Myself and I: The other guy’s listings are certainly editable.
Sedo Employee: well they would need to be cleared through the complaint check
Me Myself and I: I just edited them. You could buy Ability.info for $100 right now and cause a mess that would need some editing.
Sedo Employee: I can suggest following up with your account manager to make sure everything is correctly resolving
Me Myself and I: I probably will.
Sedo Employee: I have made sure our technical team is aware of it and they are currently working to fix the issue
Me Myself and I: I’m also going to post this conversation online, and I’m going to notify the owner of the domains that were in my account. Don’t worry, your name will be changed. But sometimes the only way to get a company to fix its blunders is to publicly embarrass it.
Sedo Employee: well please understand, I’m doing everything I can to assist you
Me Myself and I: Yes, and I appreciate it.
Sedo Employee: and this issue should be fixed as soon as possible
Me Myself and I: But Sedo shouldn’t allow this glitch to happen. You didn’t cause the glitch.
Me Myself and I: You’re just caught in the middle.
———- Post added at 08:24 AM ———- Previous post was at 07:27 AM ———-
As of this moment, I can control the price settings for all of the domains listed above. None of them are mine. If you would like to “buy” one, just let me know what you’d like the price to be. Since they’re not mine, anything goes!
I agree this is an issue, but the fact remains that the domain still has to be pushed out of a registar account, so on paper yes, but physically no. Sedo has had a lack of customer service, and their transfer times for domains have doubled, I used to have a push approved, and credit note created same day, now it can take upto 48 horus most times during normal operating hours. I know they increased commissions but service has not been up to par. Sorry sedo you are failing us all, and we have many options now…
This is a huge issue that needs to addressed asap.
Just do business with GoDaddy,. They are US based with 24×7 customer service.
Not a fan of others in the space from previous experiences.
ugggghhhh
There are 10,000 Pros on sedo that GoDaddy won’t accept.
very dangerous bug, if true
SEDO should freeze all auctions until this bug is fixed
I like the guy changed the price and bought it from himself!
Louise
Just to prove it could be done
I have already changed the fixed price domains in my sedo account to Make offer and also exported the data for my record. If in case there is a legal battle I can produce the record.
Sedo sucks big time !!!. Any good alternative?
When one discovers a security issue of potential magnitude (not proven in this single incident), the worst they can do is reveal it to the general public before the issue is addressed. Revealing a private communication is also tacky and tasteless.
Looks like they hired some of the staff from Afternic!!!! This is PRECISELY what the software at Afternic is like – buggy as hell.
@John: Godaddy is no better. Sell a domain and wait 2 months for payment? No thanks. I listed my domains there and my first offer resulted in a deadbeat from Germany some CEO of a company over there refused to go forward without payment even though he agreed to the price and terms. Godaddy did nothing.
People like that need to be sued.
@Acro but its effective and it proves that mediocrity is the new standard. I am glad he plastered that chat all over the place. Its his right to, he was a party to it.
@Mike – It’s also effective if one screams “fire!” while at a NYC mall.
@Mike
Was it an offer or did he/she back out/back away of a BuyItNow scenario?
I think dealing with a company that has 24×7 US based customer service goes along way in taking care of issues.
GoDaddy from my experience has always looked into issues I have brought up to them almost immediately.
I have not been a fan of very many other platforms in this industry.
I don’t get sedo, they have so many worldwide offfices, why can’t they linkup, and have only a few hours of downtime, takes upto 3 days to get comments approved on transactions sometimes… really in this fast paced world who is going to wait 3 days to hear a make or break deal comment, sedo, it is not 2005 anymore, get with the program please, your bread, and butter lies with the domainers, you should be working to help them, not keep taking percentage points from them, for little service.
Yeah Sedo need to sort a few things out, this is a new one to add to the list.
Ive been deparking hundreds of domains from sedo for several reasons and plus because I dont appreciate the new ‘zero-click’ parking thing. One of my domains I visited earlier randomly forwarded to groupon. Not a ‘buy this domain now!” in sight. You want 15% for this?? I dont think so.
Sedo would like to apologize for this client’s negative experience, and we would like to stress that no other clients, accounts, or domain listings were affected.
Our system has a process in place to flag any domain listings that are problematic. We check a number of factors, including thorough WhoIs checks, and ensure names are not already listed in an existing account. If there is any issue, our system alerts us and places the relevant domains in a holding pattern within our system.
Unfortunately, a human error resulted in a small selection of names being removed from the holding pattern and allowed into the wrong client’s account. We have been in contact with the client in question and the account is currently being restored to the correct status.
Sedo regrets the error and any inconvenience our client experienced. We are also speaking internally with our staff to ensure that no human errors of this kind will be repeated.
Best regards,
Heather at Sedo
@Acro
If anyone is qualified to assess what tacky and tasteless look like it’s be you. I mean afterall, domaingag has to be about the most tacky and tasteless domain site going which leads me to ask, have you not covered a few stories on domaingag before all the dust around them had settled? I think so
@ Acro
FIRE! Sedo is on fire!
To the clown above who refers to DomainGang, do you have a brain or you lack that along with the balls to post with your real id? DomainGang never posted about pending security issues. Now, I understand that you don’t like DomainGang and I don’t like anonymous idiots like you either.
Yet again…. we get the same standard message template “We regret any incovenience” for their PATHETIC customoer service and buggy system. As usual, Sedo will shamelessly continue to screw domainers by increasing their comission without no improvement in their service.
Here’s how it’s done, fool.
http://acro.net/blog/domains/how-i-saved-godaddy-in-2001/
Sedo sucks
Not sure what your looking for they like any person and/or company is not perfect.
They had a problem they seemed to have jumped on it apologized for it.
We haven’t heard of anyone suffering a loss so seems to be the appropriate response
I’m the Sedo customer who posted this.
Tacky or tasteless? Those issues were not my concern. I found a problem at Sedo which I regarded as potentially serious and instantly attempted to address it at Sedo behind closed doors. First I sent an email, which was never answered. Second, I contacted live support. If you read my exchange with customer service, you may share my impression that, for all their good will, they didn’t understand the problem and preferred to send me off with a vague “We’ll take care of it, thanks”. If I had seen this only as a personal portfolio question, it would have ended there; but there was good reason to believe the problem could be more extensive. So, to attract the attention of the right people at Sedo, yes, I lit a small fire.
And it seems to have worked. Based on their response, Sedo is evaluating the problem. My intention is not to damage Sedo’s reputation. After all, they are a significant marketplace that I and many others in the domain industry benefit from. My goal was to fix a problem.
Perhaps they could address the rampant shill bidding on their auctions at the same time.
You,know the patently obvious shill bidding from the same people on their newly registered names that in general look like ascii but are not and that according to some is not happening.
Just a thought!
Folks, the domains can be transferred away from the registrar if they are premium listings opted in already at the registrar for instant transfer.
A few days ago I saw a .org domain listed on Sedo for ~$2000. Looked up Whois and realized had never been registered at all. I registered the name myself and as of today it is still listed on Sedo with the price having increased! I’m not a domainer but can’t see the practical legality in being able to post something that’s not yours to sell. Even if they try to play the vague “we’re just facilitating” thing.
I remember seeing a .com back in 2009 on SEDO that had a “seller’s price expectation” of $150 w/ the WhoIs showing it as well. When I tried to buy it, it was countered at $6K. Left me with a bad taste and immediately closed my account. At best, their language on their listings is confusing & their customer service is terrible in my opinion.
Sedo has numerous problems – including lousy, untimely, unresponsive ‘customer support’ – which is not avail beyond 9-5 / M-Fri “bankers hours’ in USA.
In addition it misleads its customers.
Recently submitted a bid on a domain.
Didnt receive any counteroffer. Got nudging email from Sedo suggesting I (the original offeror) make a ‘counter-offer’ to raise my bid.
Clever trick. Calling attempt to induce a new, higher offer a ‘counter-offer’. Counter to what? Silence from the seller, who ignored the original offer?
Sedo is a prime example of the lack of ‘professionalism’ in the domain industry. Not only is it pathetic in its customer service – based on my numerous interactions with their ‘support’ – including unresponsiveness where the staff person clearly had not even read the incoming email to which they were supposedly responding – but also arrogant.
I recently had an offer of $ 69 on a domain I was willing to let go for a reasonable amount; but when they informed me of the minimum $ 50 fee to pay for their automated service; leaving me $ 19 – I passed.
A fee of 80% of sales price is ridiculous. But more power to them.
Arrogance such as theirs results in new competitors coming into the space….and they will be eating their lunch
SEDO also doesn’t remove expired domain names fast enough, I have now sold four domains that I let drop/don’t own to find bids come in after it had dropped. All I did was register the domain again and then accept the offer. I guess it’s the fault of the customer for not checking availability.
@Joseph “Those issues were not my concern”
Obviously they weren’t, or you would not jeopardize the security of thousands of other accounts, if that were truly a security issue. Luckily, it wasn’t. Per your own post at DNForum, only hours elapsed between the conversation between you and Sedo’s support and posting what happened. Do you seriously believe any issue is tackled that fast?
For those that don’t care to read the details: false alarm, single incident, move on.
@Acro
Defensive much?
@Acro “I don’t like anonymous idiots like you either.”
Hmm… Me neither. Check your own WHOIS listing recently?
Geez.