Global domain-name overlord ICANN has found another security hole in its systems.
This time, confidential data on companies vying for new dot-word domains may have been snooped on by rivals logged into ICANN's catch-all portal – meaning commercially sensitive information as well as important technical details on the internet's expansion were at risk. The org has since taken the vulnerable web apps offline.
"Under certain circumstances an authenticated portal user could potentially view data of, or related to, other users," the non-profit said in an announcement.
That data includes: technical information on adding new generic top-level domains (gTLDs) to the internet's root DNS; contact information; commercially sensitive details of dot-word launches; and interactions between the operators of core pieces of the internet's domain name system and ICANN as its overseer.
"There is currently no indication that this issue resulted in any actual exposure of data to an unauthorized party," ICANN added. "There is also no indication that anyone other than those authorized to access the portal did so. We are working to implement a solution to the reported issue and bring the portals back online."
ICANN's "Global Domains Division (GDD) Portal" oversees all the operations of generic top-level domains. It was rolled out just under a year ago. The website covers all communications with the operators of these top-level domains – such as .london and .book – and runs on Salesforce's secure platform.
Since Salesforce has not announced a vulnerability in its software, it suggests ICANN's staff improperly set up the portal, leaving sensitive data exposed to other authenticated users.
Not the first time
The cockup is reminiscent of another ICANN security wobble, also concerning new gTLD applications, when users reported they could see the details of other applicants when they logged into ICANN's system.
That "glitch" back in April 2012 saw ICANN take down its web app for a month, and forced a delay on the launch of its landmark dot-word gold-rush that it had been working on for more than four years.
This week's announcement also follows on the heels of a spear-phishing attack in December where a number of ICANN's systems were compromised including the Centralized Zone Data System (CZDS) – where the internet core root zone files are mirrored – the wiki pages of the Governmental Advisory Committee (GAC), the domain registration Whois portal, and the organization's blog.
That incident revealed that ICANN did not use even basic two-factor authentication for many of its systems.
Coincidentally around the same time as the December snafu, dot-com registry and maintainer of the internet's root zone, Verisign, warned in a lengthy paper that it was concerned about ICANN's technical competence.
The 33-page report provided a long list of technical and security problems at ICANN, and noted that there was a "growing list of examples where ICANN's operational track record leaves much to be desired."
ICANN's budget has exploded in the past year thanks to the gTLD program, which saw nearly 2,000 applications for new internet extensions, each costing $185,000 simply to apply for. In addition, ICANN has so far received more than half its previous annual budget (over $30m) in proceeds from auctions for new dot-words where there were competing parties. ICANN also receives fees from both registries and registrars based on the number of domain names that are registered.
Despite the explosion in income, just five per cent of ICANN's budget is spent on performing the technical job that it was originally created to carry out. ®