A cybersecurity researcher recently discovered a vulnerability on the internet that allowed him to monitor people’s emails, execute code on servers, and even forge HTTPS certificates. It gave him so many capabilities that it was described as having “superpowers.”
The vulnerability is quite simple in nature: an expired domain, which is still being pinged by numerous servers. The domain in question is dotmobiregistry.net, which used to host the WHOIS server for .mobi.
A WHOIS server provides information about the registration data of domain names and IP addresses. It is part of the WHOIS protocol, which is used to query databases that store the ownership and registration data of domain names and network resources on the Internet. On the other hand, .mobi was a top-level domain (TLD) that was specifically designed for websites that needed to be accessible via mobile devices. It was launched in 2006 and was designed to ensure that websites hosted under this domain were optimized for mobile use.
Moving the WHOIS server
At some point, and no one seems to know when or why, the WHOIS server was moved from whois.dotmobiregistry.net to whois.nic.mobi. When security firm watchTowr CEO and founder Benjamin Harris discovered this, he bought the domain and used it to set up an alternate .mobi WHOIS server.
In the days that followed, Harris’ doppelganger received millions of queries from hundreds of thousands of systems, including domain registrars, governments, universities, and others.
For example, he could determine who received TLS certificates.
“Now that we have the ability to issue a TLS/SSL certificate for a .mobi domain, we can theoretically do all sorts of horrible things, ranging from intercepting traffic to impersonating the target server,” Harris said in a technical note. “It’s game over at this point for all sorts of threat models. While we’re sure some will say that we haven’t ‘proven’ that we could get the certificate, we feel that would have been a step too far, so whatever.”
Via Ars Technique