Thu, 04 Nov 2004

Stupid Security

I discovered an ISP that allows DNS changes through a simple web form. To ensure changes are made by authorized personnel, they only accept changes from the Administrative Contact listed in the WHOIS records for the target domain.

Talk about a gaping security hole. Just find a domain with DNS hosted by this particular ISP, use the results of a WHOIS query to get the necessary credentials, and hijack the domain. Doing it from a public terminal at 5:30 PM on a Friday should minimize the chance of being noticed before the change is complete.

I discovered this flaw at work this week when I was asked to submit DNS changes for a client that moved their physical location necessitating an switch to a different ISP.

We had a technician on-site, but he had his hands full with the hard work: wiring, bring up systems, etc.

Initially, I submitted the changes using my own name and e-mail address, explaining in the special instructions box who I was, how they could verify the authenticity of my request, and why it wasn't practical to submit from the Administrative Contact's e-mail address: the mail server was setting at the new location, on one of the new ISP's IP addresses, which couldn't be reached by name until these very DNS changes were made.

The reply to my first submission:

For security reasons, we will only accept DNS requests from the administrative contact (WHOIS Lookup) of the domain name.

After hours of tail chasing with the ISP's support department (mortals are not allowed to talk to the DNS team directly), and rather frustrated, I just filled out the web form with the unreachable contact information. An hour later, the DNS changes were active.

No e-mail messages requesting a reply to authorize or a link to their website to verify the authenticity of the request was sent. The web page just generates an e-mail to the DNS team and a copy back to the submitter. The fact that the courtesy copy is undeliverable is overlooked.

The following morning, I got a call from the ISP with the account manager and a supervisor on the phone. They were ready to conference a member of the DNS team on the phone get the DNS changes I needed made. Already done, I told them. "I walked through a gaping security hole in your system and the DNS team happily made the changes for me."

I explained the situation. Hopefully they will fix the hole. I'd hate to see our client or any one else have their domain hijacked due to such stupid security.

[/internet] [link]

About this weblog

This site is the personal weblog of Marc Mims. You can contact Marc by sending e-mail to:
marc@questright.com.

Marc writes here about cycling, programming, Linux, and other items of personal interest.

This site is syndicated with RSS.

Archives

Credits

CSS stolen from Tom Coates who didn't even complain.