



Adam Banister December 7, 2021 16:43 UTC Updated: December 7, 2021 17:10 UTC

Inconsistent incentives undermine efforts to address TLD bugs that have a large impact

Security researchers have revealed that a vulnerability in the TLD registrar’s website could allow an attacker to change the name server for a domain in the Tongas country code top-level domain (ccTLD).

With nearly 513 million results when searching .to pages on Google, this flaw could target a myriad of potential malicious individuals in a variety of large-scale attacks.

Fortunately, the Tonga Network Information Center (Tonic) responded very quickly to fixing bugs within 24 hours after web security company Palisade warned on October 8, 2021, avoiding malicious abuse. I did.

Traffic rerouting

Sam Curry and other Palisade researchers have discovered a SQL injection vulnerability on the registrar’s website. Exploitation of this could allow an attacker to obtain a plaintext DNS master password for a .to domain.

Once logged in, you can override the DNS settings for these domains and reroute traffic to your website.

An attacker could steal cookies and local browser storage, thus accessing the victim’s session, among other attacks.

If you are an attacker who takes control of google.to, the official Google domain for redirects and OAuth authentication flows, you could send a specially crafted accounts.google.com link that leaks the authentication token for your Google account.

Short link security

Like .io, .to domains are widely used to generate short links that are deployed to reset user passwords, conduct affiliate marketing, and direct users to company resources. increase.

The link shortening service used by Amazon (amzn.to), Uber (ubr.to), Verizon (vz.to), etc. can be used by updating the .to page that contains tweets from these mega brands. Curry suggests that it may have been abused. Linked for millions of Twitter followers.

Curry, the founder of Palisades, could steal a very large amount of money from users of tether.to, the official platform for buying Tether stablecoin, even if an attacker controls this domain. Suggested that there is. [only] short term.

Very, very, very bad

Curry warns that a similar vulnerability may be lurking in other TLDs around 1,500, and an old domain name registration page was used by attackers to manage all domains under TLDs. I’m guessing that it may be possible to access the system.

Still, he said inconsistent incentives hindered repair efforts.

Most programs (in my opinion) are less willing to pay for dependency vulnerabilities that can have a large impact on different organizations, he explained, and honors such as the HackerOnes Internet Bug Bounty Program. I mentioned an exception.

In addition, he added that providers of domain name registry services such as Verisign cannot realistically match things like Google and Facebook in terms of payments.

Detection odds

Curry tells The Daily Swig that defensive surveillance is likely to compromise vulnerable domains without malicious attackers being detected.

He said that if you want to take over something like a cryptocurrency exchange or a DeFi platform, you can duplicate the website and replace the wallet address with your own.

Large customers like Google and Facebook may monitor such attacks, but otherwise the website owner will notice that the DNS has been updated unless the customer reports a problem. I think it will take about a day.

He adds: There are lots of fun attacks that hijack the APIs of third-party services such as 2FA providers and use them to bypass authentication, but they are more targeted and no one really wants to. Who knows that it violates the TLD and targets a specific account on a specific platform?

In a related news featured by The Daily Swig in January, Detectify founder Fredrik Almroth said ccTLDs in the Democratic Republic of the Congo (.cd) and 50% of TLD DNS traffic after registrars neglected to renew their ownership. I got.

