Adam Bannister December 7, 2021 16:43 UTC
Update time: December 7, 2021 17:10 UTC
Inconsistent incentives are undermining efforts to resolve TLD vulnerabilities with “large-scale impact”
Security researchers revealed that due to vulnerabilities in the TLD registrar’s website, attackers can modify the name server of any domain under the country code top-level domain (ccTLD) of Tonga.
A Google search for the “.to” page yielded nearly 513 million results. This vulnerability provides potential criminals with numerous possible targets for various large-scale attacks.
Fortunately, after cybersecurity company Palisade alerted them on October 8, 2021, the Tonga Network Information Center (Tonic) “responded quickly” to fix the vulnerability in less than 24 hours, thus avoiding malicious exploitation. Blog post reveal.
Reroute traffic
Sam Curry and other Palisade researchers discovered a SQL injection vulnerability on the registrar’s website. Abusing the vulnerability could allow an attacker to obtain the plaintext DNS master password of the .to domain.
After logging in, they can override the DNS settings of these domains and reroute traffic to their own website.
Read more latest internet infrastructure news
The attacker can then steal cookies and local browser storage to gain access to the victim’s session, among other attacks.
If an attacker controls google.to (the official Google domain used for redirection and OAuth authorization flow), they can send elaborate account.google.com links that will reveal the authentication token of the Google account.
Short link security
Like .io, the .to domain is widely used to generate short links for resetting user passwords, affiliate marketing, and directing users to company resources.
Curry suggested that the link shortening services used by companies such as Amazon (amzn.to), Uber (ubr.to) and Verizon (vz.to) could be abused. Curry suggested that by updating the “.to” pages from these tweets A large brand associated with its millions of Twitter followers.
Curry, the founder of Palisade, stated that attackers “may steal a large amount of funds from users of tether.to” and tether.to is the official platform for buying Tether stablecoins even if they “control the domain” [only] In a short time”.
“Very, very, very bad”
Curry warned that similar vulnerabilities may be lurking in about 1,500 other TLDs. It is speculated that the ancient domain name registration page could allow attackers to access “the system used to manage all domains under the TLD, which would be very, very, very bad.”
However, he said that misplaced incentives are hindering remedial efforts.
related Security experts seized the expired top-level domain of the Democratic Republic of the Congo, which accounted for more than 50% of DNS traffic
He explained: “Most programs (in my opinion) are reluctant to pay for vulnerabilities in dependencies, which can lead to large-scale cross-organizational impacts,” and pointed out some respectable exceptions, such as HackerOne’s Internet bug bounty program.
In addition, he added that domain name registration service providers such as Verisign cannot compare with companies such as Google and Facebook in terms of expenditures.
Detection probability
Curry tells Drink it every day Malicious actors will have a “good chance” to damage vulnerable domains without being detected, depending on defensive monitoring.
“If you want to take over things like cryptocurrency exchanges or DeFi platforms, you can just copy the website and replace it with your own wallet address,” he said.
Large customers like Google or Facebook may monitor such attacks, “but I think it will take a day or so for website owners to realize that their DNS has been updated unless the customer reports the problem.”
He added: “There are still many interesting attacks. You can take over the API for third-party services (such as 2FA providers) and use it to bypass authentication, but these attacks are more targeted and I don’t think anyone will really try Destroy top-level domains to target specific accounts on specific platforms, but who knows!”
In related news reports Drink it every day In January, Detectify founder Fredrik Almroth obtained the ccTLD (.cd) of the Democratic Republic of Congo and 50% of TLD DNS traffic after the registrar neglected to renew its ownership.
Don’t forget to read “Over-licensed” authentication checks make 190 Australian organizations vulnerable to commercial email intrusion attacks
