Security researchers made a groundbreaking discovery by gaining control of a significant portion of the Internet’s infrastructure for just $20, shedding light on the vulnerabilities present in the trust and cybersecurity mechanisms that organizations and individuals rely on daily.
The incident unfolded when researchers from watchTowr decided to investigate remote code execution vulnerabilities in WHOIS clients during the Black Hat USA conference in Las Vegas. Their exploration led them to uncover that the WHOIS server for the .mobi top-level domain had shifted from “whois.dotmobiregistry.net” to “whois.nic.mobi” a few years back, with the registration for the original domain expiring in December of last year.
A WHOIS server acts as a public directory for the Internet, containing information about the owners of IP addresses and websites, among other details. Intrigued by this finding, the watchTowr researchers spent $20 to register the expired domain whois.dotmobiregistry.net in their company’s name and set up a WHOIS server behind it. To their surprise, they witnessed over 76,000 unique IP addresses querying their WHOIS server within a few hours, a number that surged to over 2.5 million queries from 135,000 different systems globally in just two days.
Even more concerning was the discovery that major domain registrars, websites, government organizations, and security-related entities were among those querying watchTowr’s WHOIS server. This exposure underscored the significant security risk posed by the researchers potentially exploiting their ownership of the domain to deliver malicious payloads or intercept email communications.
Furthermore, watchTowr unearthed a critical weakness in domain verification processes when they found multiple Certificate Authorities (CA), including those issuing TLS/SSL certificates for prominent domains like ‘microsoft.mobi’ and ‘google.mobi,’ using their WHOIS server for verification purposes. By manipulating WHOIS data, watchTowr could facilitate the issuance of certificates on behalf of other organizations, a troubling revelation that highlighted the flaws in the TLS/SSL encryption system.
These findings prompted experts like Nick France from Sectigo to emphasize the importance of keeping systems updated, particularly in vital processes like domain control validation. He noted that while this issue may primarily impact smaller TLDs like .mobi, it raises significant concerns about the vulnerability of the domain verification process across the Internet.
In response to this revelation, the nonprofit entity ShadowServer intervened by sinkholing the dotmobiregistry.net domain and redirecting queries to the legitimate WHOIS server responsible for .mobi domains. This proactive measure aimed to protect users and systems still reliant on the expired WHOIS domain for queries, urging them to update to the correct authoritative WHOIS server promptly.
Overall, the researchers’ accidental discovery serves as a wake-up call regarding the fragility of the Internet’s infrastructure and the urgent need to fortify trust and cybersecurity mechanisms to prevent potential exploitation by malicious actors. As the digital landscape evolves, stakeholders must remain vigilant in addressing vulnerabilities and ensuring the integrity of critical systems to safeguard against cyber threats.