Spoofing Zerotier? my-dev.zerotier.com

rumple1001 · May 17, 2023, 12:50pm

I googled “Zerotier Central” today and (without paying enough attention) was presented with a normal looking Zerotier login page at:

https://my-dev.zerotier.com/

Several login attempts failed as did a couple of “Forget password” email requests. Finally I was able to login using the associated google account only to find that my network had vanished and was replaced by a request to create a new network (which I did not).

Retracing my steps I discovered the misdirection to the above site. Subsequently logging in to

https://my.zerotier.com/

everything worked as normal.

Consequently I’m wondering, if I was spoofed into revealing my google account password (changed of course) and why does this is a spoof site it appeared so high in the google search rankings and how do they get away with looking / working just like the zerotier site? If it isn’t spoof site, why doesn’t it work? Any revelations greatly appreciated.

zt-grant · May 17, 2023, 3:47pm

That’s our development & testing instance of Central. Account creation is turned off, and doesn’t use the same user database as the main instance. Not sure how it got into Google’s search results

rumple1001 · May 17, 2023, 10:02pm

Thanks for putting me straight and my mind at rest.

Wouldn’t it help if the landing page for the development site made its difference clear? I wonder how many of the “login problem” postings I reviewed are actually due to people unwittingly trying to log into this development site because it’s pretty hard to tell the difference.

Thanks again for replying.

zt-grant · May 17, 2023, 10:03pm

We put a note up on the page that it’s a Development/Test instance with a link to the production system

rumple1001 · May 17, 2023, 10:05pm

Ha! One step ahead already - very Zerotier! Thanks