Flaw allowed anyone to edit & take control over .as domains. A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner.
The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL.
“By simply Base64 encoding an .as domain name and appending it to an URL on the nic.as website, it was possible to view the entire domain record for the domain (including unencrypted passwords for domain owners, technical contacts, and billing contacts),” the researcher wrote on his blog two days ago.
ASNIC initially denied any problem, but eventually fixed it
The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing.
ASNIC first denied the presence of any issue, then acknowledged the problem, and later revealed the system was online since the mid-1990s, but said that the plaintext password was actually never used to authenticate users for domain management operations.
The last email the researcher received said “The use of [base] 64 encoding has been eliminated. We are beginning the process of notification.”
Two months later, seeing that no customer received notifications of the data leak, the researcher contacted ASNIC, but the registry never answered again.
ASNIC plays down the incident via a statement on its website
Three months after making his discovery, the researcher is now going public with his findings. The researcher is hoping that owners of a .as domain will check and see if the plaintext password they used when registering the domain has been used somewhere else in the meantime. Customers that did should change it.
Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald’s, British Gas, Bose, Adidas, the University of Texas, and many link shortening services.
ASNIC’s erratic communications continued yesterday when it released a statement saying the researcher’s report “is inaccurate, misleading and sexed-up to the max.”
The registry specified the flaw was in a legacy domain registrar system, now retired, and not in ASNIC’s current backend registry system. The full ASNIC statement can be read below.