A security researcher has exposed a critical vulnerability in the WHOIS system. Benjamin Harris, CEO of watchTowr, gained unprecedented access by registering an expired domain once used for .mobi’s authoritative WHOIS server. His rogue server received millions of queries from thousands of systems, including government agencies, certificate authorities, and major tech companies. ArsTechnica adds: The humor aside, the rogue WHOIS server gave him powers he never should have had. One of the greatest was the ability to dictate the email address certificate authority GlobalSign used to determine if a party applying for a TLS certificate was the rightful owner of the domain name the certificate would apply to. Like the vast majority of its competitors, GlobalSign uses an automated process. An application for example.com, for instance, will prompt the certificate authority to send an email to the administrative email address listed in the authoritative WHOIS for that domain. If the party on the other end clicks a link, the certificate is automatically approved. When Harris generated a certificate signing request for microsoft.mobi, he promptly received an email from GlobalSign. The email gave him the option of receiving a verification link at whois@watchtowr.com. For ethical reasons, he stopped the experiment at this point. The vulnerability stems from outdated WHOIS client configurations, which underscores systemic weaknesses in internet infrastructure management.
Read more of this story at Slashdot.