web analytics
Home » Technology » Internet » Researcher was able to hijack the entire WHOIS service of the .mobi TLD

Researcher was able to hijack the entire WHOIS service of the .mobi TLD

5 days ago Amit Gohar

Security researcher Benjamin Harris, founder of WatchTowr, has made a remarkable discovery about a serious oversight by a TLD registrar that could have caused problems for virtually all of his customers.

Old domain acquired

With just $20 and a few minutes of effort, he gained control of traffic that allowed him to create fake HTTPS certificates, monitor email activity, and potentially execute arbitrary code on thousands of servers. It was enough by chance that he was able to register the domain dotmobiregistry.net, reports Ars-Technica. This address had been used for the official WHOIS server for the top-level domain .mobi some time ago.

However, after the service moved to another domain, the original owner let the domain expire. Harris, who was at the Black Hat security conference in Las Vegas, noticed this and promptly re-registered the domain. This enabled him to set up his own WHOIS server for .mobi.

Within a few hours, his server was now receiving requests from over 76,000 IP addresses. Over the next five days, around 2.5 million requests were added from around 135,000 systems. The requesters included large Internet companies, domain registrars, security tool providers, government agencies, universities and certification authorities. These queries showed that most systems continued to incorrectly access the outdated domain.

Fragile security

Harris filled his server’s WHOIS database with faulty data pointing to watchtowr.com, humorously adding ASCII art. But the consequences of his discovery are serious: He received an email from the certificate authority GlobalSign offering to send him a verification link to the spoofed address whois@watchtowr.com. Harris stopped the experiment at this point for ethical reasons, but he stressed that in theory he would have been able to create fake certificates and use them to carry out various attacks, such as intercepting traffic.

The implications of his discovery go even further, however. Since many email servers and anti-spam services query the spoofed WHOIS server for every incoming email from a .mobi sender, Harris could also have monitored email traffic over longer periods of time. Harris explained that this vulnerability highlights a fundamental problem: “The integrity of the security processes that Internet users rely on is extremely fragile,” he said.

Tags: , , , , , ,

More Stories

CrowdStrike criticizes attacks by competitors seeking profit

3 weeks ago Yasir Zeb

Ransomware attacks: Only a few groups dominate the scene

1 month ago Amit Gohar

Record market share for Microsoft browser despite allegations

1 month ago Yasir Zeb

Leave a Reply

Today’s Latest

Windows architecture is being rebuilt – third-party developers out of the kernel

1 day ago Yasir Zeb

Unity Runtime fee abolished after shitstorm

2 days ago Yasir Zeb

Only Pro Models Have Faster 5G

4 days ago Yasir Zeb

Google AI will help decide whether unemployed people receive money

4 days ago Yasir Zeb

Researcher was able to hijack the entire WHOIS service of the .mobi TLD

5 days ago Amit Gohar

QuickSwap Plans Expansion to Ethereum Mainnet And Continues To Be A Very Much Acknowledged Beacon of Progress and Innovation While Many Others Crumble Under Market Pressure

5 days ago Alexia Hope

Android 15 Notifications To Get More Colors

5 days ago Yasir Zeb

Update finally brings Dirigera Hub Matter support

5 days ago Alexia Hope

Apple makes AirPods Pro 2 ready for iOS 18

5 days ago Alexia Hope

iOS 17.7 brings important security updates

6 days ago Amit Gohar