### The $20 Domain That Unveiled a Significant Internet Security Vulnerability
In an era where cybersecurity threats are evolving in complexity, it isn’t common for a security researcher to happen upon a flaw that could enable fake HTTPS certificates, email surveillance, and even remote code execution on countless servers—all for merely a $20 domain. However, that is precisely what transpired for Benjamin Harris, CEO and creator of the security firm watchTowr, at a recent Black Hat security conference in Las Vegas.
Harris’s revelation brings to light a harsh reality regarding the vulnerability of the Internet’s trust and security framework, particularly the WHOIS system, a fundamental component of Internet regulation that has existed since the early days of ARPANET.
—
### The Unintentional Seizure of a WHOIS Server
The tale starts when Harris observed that the domain **dotmobilregistry.net**, previously the official WHOIS server for the `.mobi` top-level domain (TLD), had lapsed. WHOIS servers serve as authoritative directories that retain details about domain names, encompassing administrative contact information and other metadata. The `.mobi` TLD, designated for websites tailored for mobile platforms, had shifted its WHOIS server to **whois.nic.mobi**, leaving the former domain to expire.
Recognizing an opportunity, Harris acquired the domain for a mere $20 and established his own WHOIS server at **dotmobilregistry.net**. What ensued was both astonishing and concerning: within hours, his server started receiving inquiries from over 76,000 distinct IP addresses. Over the following five days, the server handled roughly 2.5 million requests from 135,000 unique systems. These requests originated from a diverse array of prominent entities, including domain registrars, online security firms, government bodies, universities, and even certificate authorities (CAs)—the organizations tasked with issuing browser-trusted TLS certificates that ensure HTTPS safety.
—
### Trust Misplaced in Legacy Systems
The sheer volume of critical systems still querying a defunct WHOIS server highlights a considerable problem: misplaced confidence in outdated mechanisms. WHOIS has been a fundamental aspect of Internet governance since the 1970s when it was introduced as part of the ARPANET initiative. Over the decades, it has transformed into an essential resource for lawyers, spam services, certificate authorities, and others reliant on it to authenticate domain ownership and administrative information.
Nonetheless, as shown by Harris’s investigation, the WHOIS system is not infallible. By establishing a rogue WHOIS server, Harris managed to alter the information returned to querying systems. For example, he filled the WHOIS database with meaningless data for actual `.mobi` addresses, redirecting administrative email addresses to his own domain, **watchtowr.com**. For amusement, he even included ASCII art in some entries, like the WHOIS data for **google.mobi**.
However, the ramifications of this experiment went beyond mere humor. Harris discovered that his illicit WHOIS server granted him powers he should never have possessed, including the ability to affect the email address used by certificate authorities such as GlobalSign for domain ownership verification.
—
### A Risk to HTTPS Security
One of the most troubling aspects of Harris’s finding was the capability to generate fraudulent TLS certificates. When a request for a TLS certificate is made, the certificate authority usually sends a verification email to the administrative contact indicated in the authoritative WHOIS record for that domain. In this instance, Harris’s rogue WHOIS server could reroute these verification emails to his own email account.
For example, when Harris created a certificate signing request for **microsoft.mobi**, GlobalSign forwarded him a verification email, providing him the chance to approve the certificate application via an email address he controlled. Although Harris refrained from actually securing the certificate for ethical reasons, the implications were unmistakable: with a bogus certificate, an attacker could intercept HTTPS traffic, pose as legitimate websites, and execute a variety of malicious activities.
“Now that we have the means to issue a TLS/SSL cert for a `.mobi` domain, we can, in theory, engage in all kinds of dreadful actions—ranging from intercepting traffic to mimicking the target server,” Harris noted in his research post. “It’s game over for a multitude of threat models at this stage.”
—
### Monitoring Email Activity and Executing Code
The threats extended beyond counterfeit certificates. Numerous email servers and spam services, including those employed by government and military entities, queried Harris’s rogue WHOIS server whenever they received an email from a `.mobi` domain. This granted Harris the capability to trace email threads over time, potentially enabling him to discern the individuals involved in sensitive discussions.
Furthermore, various WHOIS clients and security services possess vulnerabilities that could permit an attacker to execute harmful code on the querying device. Ordinarily, these vulnerabilities would be deemed low-risk, as only trusted WHOIS servers would have the capacity to exploit them.
