It’s not something you hear everyday. Matthew Bryant, publisher of The Hacker Blog managed to find DNS vulnerabilities at some of the biggest cloud hosting companies on the planet: Amazon Web Services, Digital Ocean, Rackspace, and Google Cloud. Not only that, but he wrote about how he or really anyone could exploit these vulnerabilities on his blog.
Now it’s important to be clear, the vulnerabilities that Matthew found don’t allow someone to steal a domain name, but it does allow anyone to take control of the domain name from a DNS perspective and therefore put anything they want on your domain. Here’s a deeper look at the issue:
The root of this vulnerability occurs when a managed DNS provider allows someone to add a domain to their account without any verification of ownership of the domain name itself. This is actually an incredibly common flow and is used in cloud services such as AWS, Google Cloud, Rackspace and of course, Digital Ocean. The issue occurs when a domain name is used with one of these cloud services and the zone is later deleted without also changing the domain’s nameservers. This means that the domain is still fully set up for use in the cloud service but has no account with a zone file to control it. In many cloud providers this means that anyone can create a DNS zone for that domain and take full control over the domain. This allows an attacker to take full control over the domain to set up a website, issue SSL/TLS certificates, host email, etc. Worse yet, after combining the results from the various providers affected by this problem over 120,000 domains were vulnerable (likely many more). (Source – The Hacker Blog)
Matthew did the right thing and after discovering these vulnerabilities contacted each of the impacted cloud hosting services. Google actually paid Matt a reward for finding this issue ($1,337 and offered to pledge the same amount to charity) and AWS responded quickly and fixed the problem. What’s interesting is that Rackspace seems to be turning a blind eye and ignoring the issue even after Matthew has tried multiple times to nudge them in the right direction to fix the issue – yikes!
If you have a domain hosted at any of these cloud services you should be in good shape now unless you’re with Rackspace…in which case now might be as good a time as any as to make the move to another provider that actually cares about the security of your domains…