Bug Exposed .UK Domains to Hijacking Risk for Months

Bug Exposed .UK Domains to Hijacking Risk for Months

Domain registrar Enom sat on a critical vulnerability which put .uk domains at risk of hijacking by attackers for four months, it has emerged.

The Canadian-owned firm – one of the world’s largest registrars with over 15 million domains – was notified by security consultancy the m group about the vulnerability at the start of May, but it has taken until September to fix it.

It specifically affected .uk domains only, so second-level domains such as .co.uk were not impacted, as described in this advisory:

“Enom allows zero-confirmation .uk domain transfers between reseller accounts. This bypasses all account security and usual domain transfer authorisation. Combined with instant IPS tag changes at Nominet, the .uk regional registrar, .uk domains can be hijacked within minutes and placed into a state where only a manual access restoration procedure with Nominet can recover the domains.

This vulnerability is accessible to and impacts anyone with an Enom account or anyone with an account with an Enom reseller which provides automated domain transfers.”

The registrar finally fixed the issue by disabling inter-account .uk transfers, ensuring they’re no longer possible without manual assistance from Enom.

Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, argued that vulnerabilities like the one in question are all too common today.

“In this case, looking at DomainTools data, it appears this vulnerability could have affected roughly 270,000 domains, possibly more,” he explained.

“Since this vulnerability was running wild for months, this could have possibly caused some serious security issues for domain administrators. This style of vulnerability could have resulted in stolen domains, therefore making it very difficult for the legitimate domain owners.”

Headquartered in the US, Enom’s parent company is Canadian internet services and telecoms business Tucows; the world’s second largest domain registrar.

Source: Information Security Magazine