Register.com scrambles to close security hole

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-200-2093731.html?tag=st.ne.1002.thed.ni

By Stephen Shankland
Staff Writer, CNET News.com
June 16, 2000, 5:25 p.m. PT

Register.com, the second-largest domain name registrar, has
acknowledged a security problem that could have allowed people to
hijack others' Web sites.

The problem allowed unauthorized access to the security software
Register.com and its business partners use to manage Internet site
information, such as a customer's contact information or the numerical
address associated with a domain name. Spokeswoman Shonna Keogan said
the security vulnerability was fixed today.

The security hole could have allowed someone to hijack any Web site
that had been registered through Register.com, said Dan Nijs, a
Register.com customer. Nijs, a Web site administrator, discovered the
security hole.

Hijacking, in which visitors to a Web site are redirected to another
of an attacker's choosing, has plagued sites such as Internet.com and
RSA Security.

"We're really glad we were able to find out about the hole before any
serious damage was done to anybody's domain information," Keogan said.

Nijs found to his dismay this week that he could get access to this
privileged software just by copying a Web site out of records that
catalog who visits a site. The information was contained in standard
"refer" logs that record previously browsed Web addresses. One entry
in the log was for Register.com's Web-based administration tool, Nijs
said, which came complete with authentication information, or the
equivalent of a password.

"If I was the only one who knew about it, it would be no problem,"
Nijs said. But the vulnerability isn't that hard to take advantage of,
he added. "Anyone who knew about this could have shut down a million
Web sites."

Nijs found he could get access to Register.com's own domain name
information. He said that he also successfully changed his own
Internet site's information.

Register.com has registered about 1.5 million Internet addresses; the
largest Net name registrar is Network Solutions.

Elias Levy, a security expert who runs the Bugtraq mailing list where
Nijs described the problem today, said the bug was a result of sloppy
programming on Register.com's part. "They didn't take the security
aspect of refers into account," he said.

But Register.com isn't the first to suffer from the dangerous
combination of refers and Web-based services that record
authentication information in their Web addresses. Web-based email
providers also have suffered from overly descriptive Web addresses
that allow unauthorized access.

Nijs said a more devious but difficult exploitation of the
Register.com vulnerability could have allowed a person to change email
routing information. By doing so, a person could intercept all the
email a company received, gather information, and then forward the
emails to the company. This would make it harder for the company to
know someone was snooping around their communications.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".