Researcher was able to hijack the entire WHOIS service of the .mobi TLD
Security researcher Benjamin Harris, founder of WatchTowr, has made a remarkable discovery about a serious oversight by a TLD registrar that could have caused problems for virtually all of his customers.
Old domain acquired
With just $20 and a few minutes of effort, he gained control of traffic that allowed him to create fake HTTPS certificates, monitor email activity, and potentially execute arbitrary code on thousands of servers. It was enough by chance that he was able to register the domain dotmobiregistry.net, reports Ars-Technica. This address had been used for the official WHOIS server for the top-level domain .mobi some time ago.
However, after the service moved to another domain, the original owner let the domain expire. Harris, who was at the Black Hat security conference in Las Vegas, noticed this and promptly re-registered the domain. This enabled him to set up his own WHOIS server for .mobi.
Within a few hours, his server was now receiving requests from over 76,000 IP addresses. Over the next five days, around 2.5 million requests were added from around 135,000 systems. The requesters included large Internet companies, domain registrars, security tool providers, government agencies, universities and certification authorities. These queries showed that most systems continued to incorrectly access the outdated domain.
Fragile security
Harris filled his server’s WHOIS database with faulty data pointing to watchtowr.com, humorously adding ASCII art. But the consequences of his discovery are serious: He received an email from the certificate authority GlobalSign offering to send him a verification link to the spoofed address whois@watchtowr.com. Harris stopped the experiment at this point for ethical reasons, but he stressed that in theory he would have been able to create fake certificates and use them to carry out various attacks, such as intercepting traffic.
The implications of his discovery go even further, however. Since many email servers and anti-spam services query the spoofed WHOIS server for every incoming email from a .mobi sender, Harris could also have monitored email traffic over longer periods of time. Harris explained that this vulnerability highlights a fundamental problem: “The integrity of the security processes that Internet users rely on is extremely fragile,” he said.