A cybersecurity researcher recently stumbled upon an Internet vulnerability that allowed him to sniff people's email, execute code on servers and even spoof HTTPS certificates – giving him so many options that he's been described as having “superpowers”.
The vulnerability is pretty simple: an expired domain that keeps getting pinged by numerous servers. The domain in question is dotmobiregistry.net, which used to host the .mobi WHOIS server.
A WHOIS server provides information about domain name registration details and IP addresses. It is part of the WHOIS protocol, which is used to query databases that store ownership and registration information for domain names and network resources on the Internet. On the other hand, .mobi was a top-level domain (TLD) designed specifically for websites intended to be accessed via mobile devices. It was launched in 2006 and designed to ensure that websites hosted under this domain were optimized for viewing on mobile devices.
Move the WHOIS server
At some point, and no one seems to know when or why, the WHOIS server moved from whois.dotmobiregistry.net to whois.nic.mobi. When the CEO and founder of security firm watchTowr, Benjamin Harris, discovered this, he purchased the domain and used it to set up an alternative .mobi WHOIS server.
Over the next few days, Harris's doppelganger received millions of queries from hundreds of thousands of systems, including domain registrars, governments, universities and others.
This allowed him, for example, to dictate who receives TLS certificates.
“Now that we have the ability to issue a TLS/SSL certificate for a .mobi domain, we can, in theory, do all sorts of horrible things, from intercepting traffic to spoofing the target server,” Harris said in a white paper. “At this point, all sorts of threat models are gone. While we’re sure some may say we didn’t “prove” we could get the certificate, we think this would have been going too far, so nevermind.”
Through Ars Technica
