A cybersecurity researcher recently stumbled upon an Internet vulnerability allowing him to track people’s email, run code on servers, and even counterfeit HTTPS certificates – in fact, it gave him so many options, it has been described as having “superpowers”.
The vulnerability is quite a simple one in nature – an expired domain, still being pinged by numerous servers. The domain in question is dotmobiregistry.net – which used to host the WHOIS server for .mobi.
A WHOIS server provides information about the registration details of domain names and IP addresses. It is part of the WHOIS protocol, used to query databases that store the ownership and registration information of domain names and network resources on the internet. On the other hand, .mobi was a top-level domain (TLD) specifically designed for websites intended to be accessed via mobile devices. It was launched in 2006, and designed to ensure that websites hosted under this domain are optimized for mobile viewing.
Moving the WHOIS server
At some point, and no one seems to know when or why, the WHOIS server was moved from whois.dotmobiregistry.net, to whois.nic.mobi. When the CEO and founder of security firm watchTowr, Benjamin Harris, discovered this, he purchased the domain and used it to set up an alternate .mobi WHOIS server.
Over the next couple of days, Harris’ doppelganger received millions of queries from hundreds of thousands of systems, including domain registrars, governments, universities, and others.
This allowed him, for example, to dictate who gets TLS certificates.
“Now that we have the ability to issue a TLS/SSL cert for a .mobi domain, we can, in theory, do all sorts of horrible things—ranging from intercepting traffic to impersonating the target server,” Harris said in a technical write-up. “It’s game over for all sorts of threat models at this point. While we are sure some may say we didn’t ‘prove’ we could obtain the certificate, we feel this would’ve been a step too far—so whatever.”
Via Ars Technica
