Security researchers have discovered a critical vulnerability in the domain validation process that could potentially compromise the security of the entire .mobi top-level domain (TLD).
The flaw, which stems from an expired WHOIS server domain, allowed the researchers to gain unauthorized control over domain validation for all .mobi websites.
The issue arose when the researchers when the watchTowr researchers discovered that the old WHOIS server domain for .mobi, whois.dotmobiregistry.net, had been left to expire in December 2023.
They quickly registered the domain for a mere $20, effectively becoming the new “administrators” of the .mobi TLD in the eyes of many systems still using the outdated server address.
After setting up their own WHOIS server on the newly acquired domain, the researchers were shocked to find over 135,000 unique systems querying their server within days.
These included government and military mail servers, cybersecurity tools, and even Certificate Authorities (CAs) responsible for issuing TLS/SSL certificates.
The most alarming discovery came when the researchers realized they could potentially manipulate the domain validation process used by CAs to verify website ownership.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
By controlling the WHOIS responses, they demonstrated the ability to have verification emails sent to their address for high-profile domains like microsoft.mobi.
“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers stated. This vulnerability could allow malicious actors to obtain fraudulent SSL certificates, potentially leading to widespread man-in-the-middle attacks and compromising the security of encrypted communications.
The researchers tested their theory with GlobalSign, a major Certificate Authority, and were able to have a verification email for microsoft.mobi sent to their own address. They stressed that they did not obtain any fraudulent certificates, as doing so would have created a significant security incident.
The researchers noted that if they could exploit this vulnerability with minimal resources, well-funded nation-state actors could potentially cause even more damage.
The incident also revealed that numerous organizations, including government agencies, cybersecurity firms, and major tech companies, are still relying on outdated WHOIS server information. This widespread oversight emphasizes the need for better maintenance and updating of critical internet infrastructure.
In response to the researchers’ findings, the UK’s National Cyber Security Centre (NCSC) and the ShadowServer Foundation have taken steps to mitigate the issue. The compromised domain has been redirected to sinkhole systems that now proxy legitimate WHOIS responses for .mobi domains.
As the researchers concluded, “If we could do this, anyone can.” This sobering reminder highlights the ongoing challenges in securing the fundamental infrastructure of the internet and the constant vigilance required to protect against evolving threats.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!