It was the evening of July 7 when security researcher Matthew Bryant noticed that the domains ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io were not reserved. Surprisingly, he coud buy them for $95.99 apiece.
The aforementioned domain names, alongside with a0.nic.io, b0.nic.io, and c0.nic.io, are by convention meant for authoritative DNS servers. It means they are normally controlled by the administrators of the .io zone, and cashing DNS servers only copy their records.
By gaining control over four of seven domain names viewed as those belonging to authoritative DNS servers by default, the researcher could have potentially hijacked a significant share of traffic in the .io zone.
There are about 270,000 domain names in the zone, and all of their owners could have had a part of their visitors misled to a third-party server. Most of the registrants have no relation to the British Indian Ocean Territory, for which the first-level domain has originally been created. Plenty of them are start-ups.
If a malefactor had taken over the zone, he or she could have performed a phishing attack in which the URLs would have been valid: the DNS servers would have misled the visitors to websites controlled by the attacker.
It would also have been possible to hijack emails, as their rooting is based on MX records, stored on DNS servers among others. On top of this, an attacker would have been able to carry out various man-in-the-middle (MITM) attacks.
Luckily, Bryant wore a white hat. So, having spotted the issue, he immediately tried to contact the administrators of the .io zone. The official email “bounced” with a server’s response that the address doesn’t exist at all. Only after that the researcher registered the infrastructure domains.
The registrar’s support line suggested to email on the [email protected] address of the zone. As the result, the delegated domains were revoked, and Bryant received a refund. In his blog note, the researcher depicts a happy ending:
“All said and done this was actually an excellent response time (though usually I just get a ‘fixed it’ response via email instead of a Legal Department notice). After verifying that I was not able to re-register these domains it would appear that this had been completely remediated.”
As The Register explain, the mistake had been made during a handover of the .io registry from .IO LTD to Afilias, a third-party company:
“Somewhat unusually, .IO TLD decided it wanted to continue to run the .IO name servers, but outsourced the rest of the registry operations to Afilias. Afilias locked down the three main name server addresses — A0.nic.io, B0.nic.io and C0.nic.io — but failed to do the same for the other four, leaving them available for registration.”