Security Vulnerability Discovered in WHOIS Servers by watchTowr Labs

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI 🔗

Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries. Summary What started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel rooms - has now seemingly become a

A team at watchTowr Labs stumbled upon a significant security vulnerability while experimenting with WHOIS servers. Initially intending to explore Remote Code Execution (RCE) vulnerabilities, they purchased the expired domain dotmobiregistry.net for $20. This led to them inadvertently controlling a WHOIS server that many organizations, including government entities and cybersecurity firms, were still using. They discovered that their server was being queried for domain validations, including those by Certificate Authorities (CAs) for issuing TLS/SSL certificates. This situation presented a serious security risk, as they could potentially mislead CAs into issuing certificates for domains by manipulating WHOIS data. Their findings highlight critical flaws in the internet's infrastructure and the urgent need for improved security measures.

What did the team initially intend to do with the WHOIS server?

They initially aimed to explore vulnerabilities in WHOIS clients and demonstrate Remote Code Execution (RCE) exploits.

What security risk did the team uncover?

They discovered that by controlling a WHOIS server, they could potentially mislead Certificate Authorities into issuing TLS/SSL certificates for domains they did not own, undermining internet security.

Why is this incident significant?

This incident highlights the vulnerabilities in internet infrastructure and the reliance on outdated systems, emphasizing the need for better security practices among organizations and authorities.