Ronny Lam


How Sensitive Is a Registrar to Social Engineering

In my previous post I wrote about how an attacker was hijacking a domain to get to his victim, having a single character Twitter handle. I also questioned in that post how my own registrar, MijnDomein would handle social engineering techniques. But what I experienced yesterday with the hoster/registrar of my employer is beyond imagination.

I was working with a colleague to enable ssl on all our web-services. Most web-services we are hosting ourselves from Amazon EC2, but there was still one web-service running on a Direct-Admin server at the hoster/registrar. First, the connection to the dashboard is not encrypted, so everything you are doing is world readable. The dashboards gives access to the database, mail options, filesystem, web-service and DNS-zones. We were trying to add an ssl-certificate to the dashboard when it started to complain that you need an individual IP-address for that. So, apparently the IP-address is shared and Direct-Admin is using vhosts or something to differentiate.

That’s when we went to the hoster/registrar’s website and started a chat from there. This chat is encrypted, but not authenticated. You just type your email and question and off goes the chat. We mentioned that we were trying to install an ssl-certificate in our domain. The person on the other side replied that we could use the shared certificate. No, we want to install our own. He replied that we would need to buy an IP-address that would cost 20 euros. 20 euros is a lot of money for an IP-address so we asked when our contract would end. In my opinion this is personal information and we are still not authenticated. He replied with the date which was still 11 month ahead. So we asked him to install the IP-address. The generated an order which would cost 20 euros, unauthenticated.

I bet if we asked him to reset our password or something like that he would still do it. This does not feel good. With this registrar I am sure it is very easy to gain access to an account and hijack domains as mentioned in the previous post. It is people like this that are very dangerous for chain-hacking. It was very easy to get some information that I can use in a further attack. And with this person I am sure I could gain access to the system in the same single chat.

Moral of this story is that you should very thoroughly check your registrar and not only your registrar, but almost every service that you use. Because, as mentioned before, this chain-hacking could lead to serious problems. Out of courtesy I did not mention the names of the hoster/registrar and the Customer Service person, yet.