Critical vulnerability compromises the security of .MOBI top-level domain

A recent vulnerability discovery has exposed a glaring security flaw in the .MOBI domain name ecosystem. This vulnerability, stemming from an expired WHOIS server domain, has allowed a group of researchers to gain unauthorized control over the validation process for .MOBI websites.
The Flaw:
In December 2023, the WHOIS server domain responsible for managing .MOBI domain information (whois.dotmobiregistry.net) expired. Due to a lack of proper maintenance, the old domain was not renewed, creating a security loophole.
Exploitation:
The researchers were able to register the expired domain for just $20, effectively becoming the “administrators” of the .MOBI TLD. By setting up their own WHOIS server on the newly acquired domain, they intercepted over 135,000 unique systems querying for .MOBI domain information.
Alarming Implications:
The most concerning aspect of this vulnerability was the potential to manipulate the domain validation process used by Certificate Authorities (CAs). By controlling the WHOIS responses, the researchers demonstrated the ability to receive verification emails for high-profile domains like microsoft.mobi.
This vulnerability could allow malicious actors to obtain fraudulent SSL certificates, potentially facilitating man-in-the-middle attacks and compromising the security of encrypted communications.
Widespread Impact:
The researchers’ testing with GlobalSign, a major CA, confirmed the vulnerability’s feasibility. They emphasized that while they did not obtain any fraudulent certificates, the ease of exploitation raises concerns.
Numerous organizations, including government agencies, cybersecurity firms, and major tech companies, were still relying on outdated WHOIS server information, highlighting the need for better maintenance and updating of critical internet infrastructure.
Mitigation and Response:
The UK National Cyber Security Centre (NCSC) and the ShadowServer Foundation have taken steps to mitigate the issue by redirecting the compromised domain to sinkhole systems that now proxy legitimate WHOIS responses for .MOBI domains.
Conclusion:
The discovery of this vulnerability serves as a sobering reminder of the ongoing challenges in securing the fundamental infrastructure of the internet. It emphasizes the constant vigilance required to protect against evolving threats and the importance of proper domain management and maintenance. As the researchers stated, “If we could do this, anyone can,” underscoring the critical need for reinforcing cybersecurity practices and safeguarding against potential vulnerabilities.