For the record it's not just Dynadot, many other registrar sites are set up the same way. There is nothing wrong with it as long as adequate filters (ie. restrict to domains you own) are in place.
I saw the original message about 4 weeks ago. If you change the ID number in the URL to one of your other ID numbers it will show that domain.
BUT this is the thing it will only do it with your own domains not another accounts. That's how the original fool found it by changing the ID number in the URL to one of his other domain ID's. Of course being such a bright spark (yeah right) he did not think that this may not work with someone else's domain ID's. Having 3 accounts I checked the cross account reading and it just does not work.
This supposed exploit has been circulating around the web for a few weeks now. We were not able to reproduce it. We have received no complaints of domains being stolen this entire time.
As far as I can tell, this has been fixed... Is that correct? When I tried entering a domain ID for a domain that wasn't in my account, I was redirected back to my list of domains.