top | item 36885863

Tell HN: My Disney account works on at least 31 domains

5 points| LukeLambert | 2 years ago

Today I attempted to document all the domains where my Disney account is used so that my browser would autofill the correct credentials when I visit a Disney-owned site. After going down the rabbit hole, I ended up with a total of 31 second-level domains[0]:

6abc.com, abc.com, abc11.com, abc30.com, abc7.com, abc7chicago.com, club33.com, d23.com, disney.com, disneyaccount.com, disneyaulani.com, disneygiftcard.com, disneyinstitute.com, disneymovieinsiders.com, disneyonice.com, disneyplus.com, disneyrewards.com, disneyweddings.com, espn.com, footytips.com.au, freeform.com, fxnetworks.com, go.com, hulu.com, marvel.com, nationalgeographic.com, rundisney.com, shopdisney.com, starwars.com, thewaltdisneycompany.com, tokyodisneyresort.jp

It's likely an undercount, and doesn't include the untold subdomains. (go.com alone has thousands of subdomains in CT logs.)

Wouldn't Disney be better served by using something like OIDC on a single domain? I see several downsides to their current approach. First, it's confusing to users when their saved credentials don't autofill because they created the account on a different site. Second, Disney can't use newer, more secure authentication like passkeys/WebAuthn because those are tied to a single domain. Finally, having the same credentials work on a bunch of seemingly-unconnected sites is a phisher's dream. If Disney's user base is accustomed to entering their credentials all around the web, why would they hesitate to enter it on a fake ABC affiliate site?

[0] https://my.disneyaccount.com lists most of the sites

2 comments

logicalmonster|2 years ago

Forget about technology for a second and think about how bureaucracy works in a big corporation. Getting all of their teams onboard, and then convincing the business people to go ahead and pay for something that in their eyes already works in an era of cost-cutting isn't a trivial thing, and isn't going to be accomplished right away unless they made it a big company priority.

smt88|2 years ago

> Wouldn't Disney be better served by using something like OIDC on a single domain?

Yes, but even small changes are incredibly time-consuming and expenses at large companies. A coordinated authentication switch like this would cost them millions in person-hours.

> it's confusing to users when their saved credentials don't autofill because they created the account on a different site

Most people log in to these sites via mobile apps, not the web. A majority of people don't even use password managers.

> Second, Disney can't use newer, more secure authentication like passkeys/WebAuthn because those are tied to a single domain.

I don't think Disney cares that much about the appearance of security. They don't tend to maintain highly sensitive profiles for people.