Connect with us

Hi, what are you looking for?

Cyber Security

Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover

Attackers could have modified the nameservers of any domain under Tonga’s country code top-level domain (ccTLD) due to a vulnerability in the TLD registrar’s website, security researchers have revealed.

With a Google search for ‘.to’ pages yielding nearly 513 million results, the flaw gave potential miscreants countless possible targets for a variety of large-scale attacks.

Fortunately, malicious exploitation was averted because the Tonga Network Information Center (Tonic) was “very responsive” in fixing the bug in under 24 hours after web security firm Palisade alerted them on October 8, 2021, a Palisade blog post reveals.

Rerouting traffic

Sam Curry and other Palisade researchers discovered an SQL injection vulnerability on the registrar website, abuse of which could enable attackers to obtain the plaintext DNS master passwords for .to domains.

Once logged in, they could overwrite these domains’ DNS settings and reroute traffic to their own website.

The attacker could then steal cookies and local browser storage and therefore access victim sessions, among other attacks.

Were an attacker to wrest control of google.to, an official Google domain for redirects and OAuth authorization flows, they could send crafted accounts.google.com links that would leak authentication tokens for Google accounts.

Shortlink security

As with .io, .to domains are widely used to generate shortlinks deployed to reset user passwords, for affiliate marketing, and to direct users to company resources.

Link shortening services used by the likes of Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) could have been abused, suggested Curry, by updating the ‘.to’ pages to which tweets from these mega brands linked to for their millions of Twitter followers.

Curry, Palisade’s founder, suggested that attackers “could likely steal a very large amount of money” from users of tether.to, the official platform for buying Tether stablecoin – even if they “controlled this domain [only] for a short period of time”.

‘Very, very, very bad’

Curry warned that similar vulnerabilities may lurk among the 1,500 or so other TLDs, speculating that ancient domain name registration pages could give attackers access to “systems used to manage all domains under the TLD which would be very, very, very bad”.

And yet, he said, misaligned incentives are hampering remediation efforts.

“Most programs (in my opinion) are less willing to pay for vulnerabilities in dependencies that would result in mass-scale impact across different organizations”, he explained, noting honorable exceptions such as HackerOne’s Internet Bug Bounty Program.

Moreover, providers of domain name registry services such as Verisign cannot realistically match the likes of Google and Facebook in terms of payouts, he added.

Detection odds

Curry tells The Daily Swig that malicious actors would have a “good chance” of compromising vulnerable domains without being detected, depending on defensive monitoring.

Advertisement. Scroll to continue reading.

“If you were to take over something like a cryptocurrency exchange or DeFi platform, you’d be able to just replicate the website and replace the wallet addresses with your own,” he said.

Bigger customers like Google or Facebook would likely monitor for such attacks, “but otherwise I’d imagine that unless customers were reporting issues then it would take a day or so before website owners realized their DNS had been updated”.

He adds: “There are also tons of fun attacks where you’d takeover an API for a third-party service like a 2FA provider and use it to bypass authentication, but those are more targeted and I don’t think anyone would really try to compromise a TLD to target a specific account on a specific platform, but who knows!”

In related news covered by The Daily Swig in January, Detectify founder Fredrik Almroth acquired the ccTLD for the Democratic Republic of Congo (.cd) – and 50% of the TLD’s DNS traffic – after the registrar neglected to renew their ownership.

Source: https://portswigger.net/daily-swig/flaws-in-tongas-top-level-domain-left-google-amazon-tether-web-services-vulnerable-to-takeover

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO