One small tweak gave researchers a powerful web domain ability that could prove incredibly useful for hackers
What happens when an important domain expires?
A cybersecurity researcher recently stumbled upon an Internet vulnerability allowing him to track people’s email, run code on servers, and even counterfeit HTTPS certificates - in fact, it gave him so many options, it has been described as having “superpowers”.
The vulnerability is quite a simple one in nature - an expired domain, still being pinged by numerous servers. The domain in question is dotmobiregistry.net - which used to host the WHOIS server for .mobi.
A WHOIS server provides information about the registration details of domain names and IP addresses. It is part of the WHOIS protocol, used to query databases that store the ownership and registration information of domain names and network resources on the internet. On the other hand, .mobi was a top-level domain (TLD) specifically designed for websites intended to be accessed via mobile devices. It was launched in 2006, and designed to ensure that websites hosted under this domain are optimized for mobile viewing.
Moving the WHOIS server
At some point, and no one seems to know when or why, the WHOIS server was moved from whois.dotmobiregistry.net, to whois.nic.mobi. When the CEO and founder of security firm watchTowr, Benjamin Harris, discovered this, he purchased the domain and used it to set up an alternate .mobi WHOIS server.
Over the next couple of days, Harris’ doppelganger received millions of queries from hundreds of thousands of systems, including domain registrars, governments, universities, and others.
This allowed him, for example, to dictate who gets TLS certificates.
“Now that we have the ability to issue a TLS/SSL cert for a .mobi domain, we can, in theory, do all sorts of horrible things—ranging from intercepting traffic to impersonating the target server,” Harris said in a technical write-up. “It’s game over for all sorts of threat models at this point. While we are sure some may say we didn’t ‘prove’ we could obtain the certificate, we feel this would’ve been a step too far—so whatever.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via Ars Technica
More from TechRadar Pro
- US Authorities Issue RansomHub Ransomware Alert
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.