UPDATED 22:33 EDT / JULY 10 2017

INFRA

In epic security fail, researcher manages to take control of .io domain nameservers

A security researcher has managed to take control of the .io top-level domain name registry thanks to an epic security fail by the company that runs that domain.

Researcher Matthew Bryant discovered that a number of the .io nameservers were available to register and he did just that – register them successfully, leaving him potentially in control of hundreds of thousands of websites.

According to The Register, Bryant managed to obtain control of a0.nic.io, b0.nic.io, c0.nic.io, ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io, all core nameservers for the .io top-level domain, or TLD for short. A nameserver is a server on the Internet specialized in handling queries regarding the location of a domain name.

In the event a third party were to obtain control of the nameservers from a given TLD, they could redirect traffic to that domain to wherever they wanted to. For example, a hacker could redirect traffic to a malicious website.

Fortunately, it turns out that Bryant is a good guy and didn’t take advantage of his access and instead attempted to contact NIC.IO, the domain registration company responsible for the .io TLD. While .io is in fairly common usage, the TLD belongs to the British Indian Ocean Territory. The territory consists of more than 1,000 individual islands in the middle of the Indian Ocean, the most notable being Diego Garcia, the home of the United States’ main Indian Ocean military base.

“I … wrote up a summary of the issue and emailed both contacts [at NIC.IO] about the problem and conveyed the urgency of the fix … After sending the email I immediately received a bounce message indicating that the adminstrator@nic.io was not an email address that existed at all,” Bryant wrote on his blog.

Determined to do the right thing, Bryant then called NIC.IO’s support phone number. After a further email, seemingly the issue had been fixed. However, the registrations of the nameservers he had made were revoked without any formal response directly from NIC.IO itself.

The case highlights risks involved in registering and dealing with small and obscure TLD registries following the decision by ICANN in 2015 to allow the creation of hundreds of TLD names. A traditional .com registry can be trusted, but obscure, small companies running lesser-used TLDs present a potential risk to any individuals or companies relying on them for their presence online.

Photo: phobia/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.