Top-level domains like “.com” have been spruced up over the years with customizable options that are often associated with specific countries—for instance, “.ly” for Libya. But these domains are known for security issues. The latest is a problem with American Samoa’s “.as” domain registry that for years has left sites using the suffix vulnerable to takeovers.
On Monday, British security blogger Infosec Guy published evidence of a vulnerability in the “.as” top-level domain that allows anyone to view and alter domain records, which include things like administrator contact information and plain-text passwords.
The flaw is a bug in how users can access site details through the registry. Users are only meant to look up details they are “allowed” to see, but the registry actually allows anyone to see anything. “A malicious attacker could quite easily modify any domain information—such as Nameservers—allowing them to take control of websites by redirecting their traffic to servers they control,” Infosec Guy wrote.
Infosec Guy writes that he contacted the AS Domain Registry in January about the bug. Though he encountered some resistance, the group eventually patched it in February. A statement from the American Samoa Domain Registry says, “We fixed the potential issue back in February with the legacy Registrar system before any problems arose. There was never any potential for unauthorized changes to domain name information, as the Legacy Registrar system is a manual system.”
One comment in the statement describes Infosec Guy’s report as “inaccurate, misleading and sexed-up to the max.” Naked Security, the blog by cybersecurity company Sophos, described the statement as “a belligerent press release.”
American Samoa’s top-level domain may seem somewhat obscure, but it’s used by lots of big companies for URLs like a.did.as and twitter.as. If it had this vulnerability for almost two decades, a lot of data was at risk for a long time.
