Misaligned incentives are undermining efforts to tackle TLD bugs with ‘mass-scale impact’


UPDATED Attackers could have modified the nameservers of any domain under Tonga’s country code top-level domain (ccTLD) due to a vulnerability in the TLD registrar’s website, security researchers have revealed.

With a Google search for ‘.to’ pages yielding nearly 513 million results, the flaw gave potential miscreants countless possible targets for a variety of large-scale attacks.

Fortunately, malicious exploitation was averted because the Tonga Network Information Center (Tonic) was “very responsive” in fixing the bug in under 24 hours after web security firm Palisade disclosed the issue, following a pen test, on October 8, 2021 a Palisade blog post reveals.

Rerouting traffic

Sam Curry and other Palisade researchers discovered an SQL injection vulnerability on the registrar website, abuse of which could enable attackers to obtain the plaintext DNS master passwords for .to domains.

Once logged in, they could overwrite these domains’ DNS settings and reroute traffic to their own website.

Read more of the latest internet infrastructure news

The attacker could then steal cookies and local browser storage and therefore access victim sessions, among other attacks, according to Curry.

Were an attacker to wrest control of google.to, an official Google domain for redirects and OAuth authorization flows, they could send crafted accounts.google.com links that would leak authentication tokens for Google accounts.

Shortlink security

As with .io, .to domains are widely used to generate shortlinks deployed to reset user passwords, for affiliate marketing, and to direct users to company resources.

Link shortening services used by the likes of Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) could have been abused, suggested Curry, by updating the ‘.to’ pages to which tweets from these mega brands linked to for their millions of Twitter followers.

Curry, Palisade’s founder, suggested that attackers “could likely steal a very large amount of money” from users of tether.to, the official platform for buying Tether stablecoin – even if they “controlled this domain [only] for a short period of time”.

However, Eric Gullichsen, administrator for the .to ccTLD, told The Daily Swig that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”

‘Very, very, very bad’

Curry warned that similar vulnerabilities may lurk among the 1,500 or so other TLDs, speculating that ancient domain name registration pages could give attackers access to “systems used to manage all domains under the TLD which would be very, very, very bad”.

And yet, he said, misaligned incentives are hampering remediation efforts.

RELATED Security pro seizes expired DR Congo top-level domain, takes over 50% of DNS traffic

“Most programs (in my opinion) are less willing to pay for vulnerabilities in dependencies that would result in mass-scale impact across different organizations”, he explained, noting honorable exceptions such as HackerOne’s Internet Bug Bounty Program.

Moreover, providers of domain name registry services such as Verisign cannot realistically match the likes of Google and Facebook in terms of payouts, he added.

Tonga ccTLD admin Gullichsen said: “We agree with Sam that the hardening of TLD registries is an essential – and arguably neglected – aspect of internet security.”

Detection odds

Curry tells The Daily Swig that malicious actors would have a “good chance” of compromising vulnerable domains without being detected, depending on defensive monitoring.

“If you were to take over something like a cryptocurrency exchange or DeFi platform, you’d be able to just replicate the website and replace the wallet addresses with your own,” he said.

Bigger customers like Google or Facebook would likely monitor for such attacks, “but otherwise I’d imagine that unless customers were reporting issues then it would take a day or so before website owners realized their DNS had been updated”.

He adds: “There are also tons of fun attacks where you’d takeover an API for a third-party service like a 2FA provider and use it to bypass authentication, but those are more targeted and I don't think anyone would really try to compromise a TLD to target a specific account on a specific platform, but who knows!”

In related news covered by The Daily Swig in January, Detectify founder Fredrik Almroth acquired the ccTLD for the Democratic Republic of Congo (.cd) – and 50% of the TLD’s DNS traffic – after the registrar neglected to renew their ownership.

This article was updated on December 8 with comments from Eric Gullichsen, administrator for the .to ccTLD

DON’T FORGET TO READ ‘Over-permissive’ authentication checks left 190 Australian organizations vulnerable to business email compromise attacks