WHOIS embarrassed about security? APNIC, after database leaks

Asia's internet numbers registry APNIC has apologised to network owners after a slip in its WHOIS database config leaked credentials, including weakly-hashed passwords.

The breach affected those in the regional registry's Maintainer and Incident Response Team (IRT) database objects. During a June 2017 upgrade, those details were included in downloadable WHOIS data.

“Maintainer” is the administrative object that restricts who is allowed to edit other objects in the APNIC database; the IRT object identifies who receives abuse reports.

Chris Barcellos of eBay's Red Team noticed the data on a third-party Website on October 12 and notified APNIC. The registry's deputy general director Sanjaya^* writes that the database configuration was fixed on October 13, and subsequently the relevant passwords were reset.

Had an attacker been able to recover the passwords, they could have altered WHOIS information or hijacked IP address blocks.

As this configuration guide shows, one of the hash options available is crypt-pw, a weak and easily-reversed hash because it can only handle eight-character passwords.

APNIC says it hasn't found evidence of malicious activity as the result of the breach. Had anybody altered the records, it would not have been permanent, since “authoritative registry data is held internally by APNIC”. ®

^* Sanjaya uses just one name.