September 11, 2024 at 07:07AM
During Black Hat, watchTowr Labs researchers discovered vulnerabilities in the WHOIS protocol. They purchased an expired domain to demonstrate its potential misuse. The findings revealed that numerous organizations and government entities were still querying the expired domain, highlighting serious security concerns. The researchers also identified vulnerabilities in TLS/SSL certificate authorities, raising critical internet security issues.
The meeting notes highlight the concerns and implications raised by watchTowr Labs researchers regarding the vulnerabilities they found in the WHOIS protocol. They discovered that the WHOIS server for the .mobi top-level domain had migrated to a new address, and the team took the initiative to set up a new WHOIS server to identify and respond to systems still querying the expired domain. As a result, they were able to identify numerous entities, including cybersecurity firms, mail servers of governments and universities, domain registrars, and certificate authorities, that were still querying the expired domain, exposing potential security risks and vulnerabilities.
The team also expressed concerns about the misuse of these vulnerabilities by nation states to intercept internet traffic, target individual users, and potentially co-sign malware using the identity of legitimate entities. They emphasized the ease of exploiting known vulnerabilities in various systems and expressed the need for addressing the broader issues related to expiring domains, throwaway infrastructure, and the vulnerabilities in TLS/SSL certificate authorities.
In summary, the meeting notes shed light on the significant security implications and potential risks associated with the WHOIS protocol vulnerabilities discovered by watchTowr Labs, along with their concerns about the trust placed in internet protocols and encryption processes.