The security research team from WatchTower has reported an error on the certification of encryption by a service provider, stemming from the migration of WHOIS server for the .MOBI domain. This move led to a vulnerability that allowed the research team to issue certifications for any domain under the TLD .MOBI.
WHOIS is a protocol for requesting domain information, IP addresses, and Autonomous Systems (AS) numbers, identifying who the registrant is, when it expires, and who to contact in case of issues.
The issue arose from the service provider’s transfer of the .MOBI registration server from whois.dotmobiregistry.net to whois.nic.mobi years ago, neglecting to renew the dotmobiregistry.net domain. The research team acquired this domain, opened a WHOIS server to monitor connections, revealing numerous WHOIS query servers linked to it. After observation, they discovered certification authorities connecting to it.
The team created a WHOIS for domains they do not own, such as microsoft.mobi, and attempted to obtain encryption certifications from various CAs. GlobalSign read the value of the newly built WHOIS server, enabling certification request using the team’s email.
The team halted testing after successfully requesting certifications without issuing actual certificates. However, they found numerous servers still connected to this old domain, including email servers and security services. Updating WHOIS domain information is crucial for system security administrators to prevent such incidents from recurring.
Source – WatchTower
TLDR: An error in encryption certification arose from the WHOIS server migration for the .MOBI domain, allowing the research team to issue certificates for any domain. Continuous updating of WHOIS domain information is essential for system security.
Leave a Comment