Security Bug in ICANN Portals Exploited to Access User Data

The Internet Corporation for Assigned Names and Numbers (ICANN) announced on Thursday the completion of the first phase of its investigation into the impact of a vulnerability affecting two of the organization’s generic top-level domain (gTLD) portals.

On February 27, ICANN shut down the New gTLD Applicant and GDD (Global Domains Division) portals after learning of a security flaw that exposed user records. The affected websites are only accessible to applicants and registry operators, and they are used in the evaluation and contracting processes.

In early March, shortly after restoring access to the affected portals, ICANN noted that it hadn’t found any evidence of unauthorized access. However, after reviewing logs dating back to April 2013, when the New gTLD Applicant portal was activated, and March 2014, when the GDD portal was activated, the two consulting firms called in by ICANN to investigate the incident determined that some users had in fact accessed records that didn’t belong to them.

“Based on the investigation to date, the unauthorized access resulted from advanced searches conducted using the login credentials of 19 users, which exposed 330 advanced search result records, pertaining to 96 applicants and 21 registry operators. These records may have included attachment(s). These advanced searches occurred during 36 user sessions out of a total of nearly 595,000 user sessions since April 2013,” ICANN said.

The organization says it will notify affected users “shortly” and inform them on which portion of their data was accessed and when. By May 27, they will also know the identity of the users who viewed their information.

Those who exploited the vulnerability to view the details of other users are being contacted by ICANN. The organization is asking them to motivate their activity, and to certify that they will delete or destroy the data they have obtained, and that they will not use it or distribute it to third parties.

“We realize that any compromise of our users’ data is unacceptable and take this situation, as well as user trust, very seriously,” stated ICANN’s Chief Information and Innovation Officer, Ashwin Rangan. “Since I joined ICANN last year, we have increased our focus on quickly hardening our digital services. We have already taken several steps to accomplish this objective and guard ICANN’s digital assets against escalating cyber threats, however there is more to do. We deeply regret this incident and pledge to accelerate our efforts to harden all of our digital services, many of which have been in service for as long as 15 years.”

This isn’t the only security incident involving ICANN. In December, ICANN revealed that the email credentials of several staff members had been compromised in a spear phishing attack. The organization noted that the most critical systems were not breached, but the attackers had managed to obtain administrative access to files in the Centralized Zone Data Service (CZDS).