Researcher takes over all .io websites!

A security investigator took care of all .io domains for more than a time due to a serious error in the protection of the underlying infrastructure.

Over 270,000 .io domains were held by a security investigator at the end of last week. The man had if he wanted to block all traffic to the domains, or even divert to their own phishing or malware websites. That reports The Register.

Website domains ending .io are very popular with startups and modern internet businesses. .io is a so-called top level domain, like .com, .be or .org. At every top-level domain belongs a kind of digital phone book: a domain name server (DNS). In that directory you can find specific websites. Enter your smartbiz.com, then your browser asks for a .com name server where smartbiz is located somewhere. Then the connection to the website in question will be established.

Researcher Matthew Bryant succeeded in registering the .io name servers as regular websites under their own name. In other words, he received unchecked access to the phonebooks that track the addresses of .io websites. The bug came to light when Bryant turned a piece of test code that gave an unexpected response.

False phone book

In concrete terms, the traffic of people who surfed to a .io website passed through the DNS acquired by Bryant. That enabled him to send all traffic to his chosen addresses. A concrete application of this is phishing: if you surf to www.reliablewebsite.io, but you are sent to another site in the background, chances are you will not realize anything. After all, you acted safely.

Bryant took over four .io name servers by simply registering them as a normal website. Normally, the name of a name server is obviously not for sale as a valid website name. Fortunately, Bryant was in good faith, and did not use his access for malicious practices.

Bryant contacted the .io registry administrators by mail but the specified address was found to be invalid. Then he contacted them by phone, where he was asked to send an e-mail to another address. Although he did that immediately, it took another 24 hours before losing control of the ns-a1.io, ns-a2.io, ns-a3.io and ns-a4.io servers. At the time of this writing, the organization behind .io, according to The Register, has not yet contacted Bryant. Furthermore, it is not clear whether the problem would have come to light without the intervention of the researcher.

The researcher had only four of the seven servers, and that for about a time. Should a hacker spell the same, the damage would be the best. In practice, DNS lookups expire through cached A records, which means that it would take a while before a redirection via an inherited DNS server would have a big effect. In addition, there is an additional security suite (DNSSEC) on top of the .io domain that has in theory stopped the worst abuse.

Transfer Error

The cause of the leak can be found in transferring the management of the .io domain of the original administrator, the UK Internet Computer Bureau via NIC.io, to a third party: Afilias. After the transfer, Afilias blocked only three of the seven domain name servers, allowing the other four as common domains for sale via a registrar.