Here’s how one guy found out how to hack 120,000 domain names

domains-hacked

It’s not something you hear everyday. Matthew Bryant, publisher of The Hacker Blog managed to find DNS vulnerabilities at some of the biggest cloud hosting companies on the planet: Amazon Web Services, Digital Ocean, Rackspace, and Google Cloud. Not only that, but he wrote about how he or really anyone could exploit these vulnerabilities on his blog.

Now it’s important to be clear, the vulnerabilities that Matthew found don’t allow someone to steal a domain name, but it does allow anyone to take control of the domain name from a DNS perspective and therefore put anything they want on your domain. Here’s a deeper look at the issue:

The root of this vulnerability occurs when a managed DNS provider allows someone to add a domain to their account without any verification of ownership of the domain name itself. This is actually an incredibly common flow and is used in cloud services such as AWS, Google Cloud, Rackspace and of course, Digital Ocean. The issue occurs when a domain name is used with one of these cloud services and the zone is later deleted without also changing the domain’s nameservers. This means that the domain is still fully set up for use in the cloud service but has no account with a zone file to control it. In many cloud providers this means that anyone can create a DNS zone for that domain and take full control over the domain. This allows an attacker to take full control over the domain to set up a website, issue SSL/TLS certificates, host email, etc. Worse yet, after combining the results from the various providers affected by this problem over 120,000 domains were vulnerable (likely many more). (Source – The Hacker Blog)

Matthew did the right thing and after discovering these vulnerabilities contacted each of the impacted cloud hosting services. Google actually paid Matt a reward for finding this issue ($1,337 and offered to pledge the same amount to charity) and AWS responded quickly and fixed the problem. What’s interesting is that Rackspace seems to be turning a blind eye and ignoring the issue even after Matthew has tried multiple times to nudge them in the right direction to fix the issue –  yikes!

If you have a domain hosted at any of these cloud services you should be in good shape now unless you’re with Rackspace…in which case now might be as good a time as any as to make the move to another provider that actually cares about the security of your domains…

{ 5 comments… add one }

  • Nick December 6, 2016, 11:30 pm

    Thank you for this!

    Reply
  • KoolBranding December 7, 2016, 4:21 am

    Interesting that your article does not mention the response of DigitalOcean. I’ve personally had this problem with them over a year ago on multiple occasions and I did alert them to this issue and they never did anything about it. They merely deal with the problem at hand, which is request a list of my affected domains to do verification on it, and promise to look into it. I’ve had to contact them multiple times for same issue and had the same experience. The domains in my case were hijacked and parked with ad-filled parking pages, and they refused to give me information on the account holder who illegally hijacked and used my domains for personal gain through advertisement, and they refused to tell me what they will do with the offending account, claiming that they do not comment on how they deal with such issues. Baffling to say the least.

    Reply
  • Joe December 7, 2016, 12:28 pm

    Post too late

    Access to domain names have been many major registrar companies that have ignored even large lawyers in this market and the ICANN body itself.

    I go through this and even happened the same von new registrars of dominiod wue this fashion and comn the time many that you are experts you realize that now also suffer what I spend since the year 2008 but before it was taboo or was really vodoo Who discovered what to do with me was the domain parking vodoo.com.

    Before we were in a cloud that nothing existed, now the cloud exists and it is discovered that more than 120,000 domains may be in danger.

    When Moniker had the failure of the transfers, more than 250,000 domain names are lost, only the posts of those domainers who have lost their domain names are written, this is as before Network Solutions pioneered or also lods the principles of Godaddy domain name that Search and not buy into their power who told them something, who posted some warning post like make your friend.
    Never anyone.

    Reply
  • Emmanuel Achudume March 15, 2020, 5:47 am

    How can one help me on how to hack this website to get my funds from them?
    please reply me as soon as possible thanks.. contact me on whatsapp 07066911425 ..

    Reply
  • Emmanuel Achudume March 15, 2020, 5:49 am

    here is the website https://forex-pro.uk/ i need a professional hacker to hack this site to get my funds..

    Reply

Leave a Comment