I find it a little bit disturbing that all you have to do to "verify ownership" of an add-on domain is set the nameservers to ns1.bluehost.com and ns2.bluehost.com. I could add any one of your domains that are hosted at bluehost to my account as an add-on, and since the nameservers are set to BH, it would accept it as "verified ownership" and I could overwrite your files. Am I missing something here or is this really the case?

Thanks.

<speculation>
I suspect the case is that this method of verifying ownership only works for URLs that aren't already assigned to another Bluehost account. I've added several domains to my account which were registered at other registrars. I could do so only after the actual owner of the site changed the nameservers to point to Bluehost.
</speculation>

If it's really that simple to hijack a site, you're right - that's a huge security hole.

I recently went through a process that involved moving an addon domain from one Bluehost account to another one. In the process of adding the addon domain to the second account, I had to authorize that by logging into the first account and allow the transfer to be made.

So I don't think that you would be able to add anybody's domain as an addon to your account without them first allowing that to happen.

Thanks, farcaster.

Since I've never moved a domain from one Bluehost account to another, I wasn't sure of the steps needed to do that. It's good to have it confirmed that an account login is required and such a huge security hole doesn't exist.

I recently went through a process that involved moving an addon domain from one Bluehost account to another one. In the process of adding the addon domain to the second account, I had to authorize that by logging into the first account and allow the transfer to be made.

So I don't think that you would be able to add anybody's domain as an addon to your account without them first allowing that to happen.

Okay, good. I am about to do the same thing, which got me wondering about it.