As a vulnerability in REG.RU, it was possible to obtain registration data for any domain

 
3r3-31. Today I want to talk about how in the distant 2012 I found a vulnerability in the domain registration system of the company REG.RU. Very often I see stories in which the authors talk about vulnerabilities while mentioning that the company did not pay enough attention to the found bug for a long time or did not fix it at all. In my case, everything was exactly the opposite, and the vulnerability was eliminated very quickly. 3r3108.  
3r3108.  
As a vulnerability in REG.RU, it was possible to obtain registration data for any domain 3r3108.  
3r311.
3r3108.  
In September 201? REG.RU began registering domains in the zone 3—3–3103. ru.com 3r3104. and sent letters to all their customers offering to receive for the first year a domain in a new zone with the name of an already registered domain in zones 3r-3103. ru [/b] , 3r3103. RF [/b] , 3r3103. su 3r3104. , 3r3103. com [/b] , 3r3103. net [/b] . 3r3108.  
3r3108.  
Getting a free domain turned out to be quite simple: it was necessary to follow the link from the letter, enter the activation code for the domain, and the domain was registered for free for a year. 3r3108.  
3r3108.  
3r3335. 3r3108.  
3r3108.  
Before registering a domain, the system offered to familiarize itself with the contact details of the “original” domain for which the gift domain will be registered, but this data was open only for viewing without editing so the meaning of their display was not clear. However, this was the first bug: the registration of a new domain was available by the link of the form 3r-366. https://www.reg.ru/domain/new/get_free_ru_com?service_id=XXXX , and the ID of the service could simply be searched, seeing to whom this or that domain is registered. 3r3108.  
3r3108.  
REG.RU specialists made it so that any contacts were not shown completely, but only the first 7 characters of each field were displayed, which theoretically should not fully disclose information about the domain owner, however, for example, my first and last name were less than 7 characters long and they shown completely. Well, plus to everything, if you show the first 7 characters of the name, then very often you can guess which characters you need to add, a simple example is “Vladimi”. 3r3108.  
3r3108.  
This bug was corrected fairly quickly, and now the system showed only the first 4 characters, which was much better, although a person with the name “Han Solo” would not be very pleased. 3r3108.  
3r3108.  
3r3108.  
3r3108.  
The next bug is the ability to register a domain without entering an activation code. So that all domain owners did not run at once to register free domains, REG.RU decided to send letters not immediately, but within a couple of days, thus the load was distributed evenly. From a technical point of view, it was like this: in the database in the table with domains, a new column “Authorization code” was created with a null value, and from time to time users were sent letters with the simultaneous filling of this field with the generated code. A simple search could go through the link of the form 3r3386. https://www.reg.ru/domain/new/get_free_ru_com?service_id=XXXX by increasing the service ID to the value when the system has not yet managed to issue an authorization code to such a domain and register a domain with an empty code. 3r3108.  
3r3108.  
There was nothing wrong with registering such a domain, but after registering it became clear that the full contact details (name, address and telephone number) of the owner of the “original” domain without hidden symbols became visible. It was easy to fix this bug by simply adding a check for a non-empty authorization code during registration, which the REG.RU specialists quickly corrected. 3r3108.  
3r3108.  
After a while, I found another bug, but it required a bit more action than just busting the service ID. To simplify the registration procedure for gift domains, REG.RU made it possible to register a domain without entering an authorization code from a letter, if the e-mail account in the reg.ru system coincided with the e-mail address specified as a contact in the original domain. It was quite convenient for the user, but in terms of security, everything was not so good. 3r3108.  
3r3108.  
In 201? there was no law on the protection of personal data in the current edition, and in many domains in the zone 3—3-3103. ru [/b] You could see the contact e-mail address through Whois. At the time of finding this bug, the e-mail address was already hidden, but through the services of viewing the history of the Whois, the e-mail could be viewed, and, most likely, it was relevant. After that, it was necessary to try to register in the REG.RU system with this e-mail address and after that without an authorization code get a free domain, which in turn opened access to the contact information of the original domain. 3r3108.  
3r3108.  
To be brief, the procedure is as follows: 3r3108.  
3r3108.  
 
3r3-300. Go to the page type https://www.reg.ru/domain/new/get_free_ru_com?service_id=XXXX and look at the domain name with this ID, for example, habr.ru.com 3r3104. . 3r3105.  
3r3-300. Through the Whois history viewer, we find the e-mail address for the domain [b] habr.ru
. 3r3105.  
3r3-300. Using this e-mail address, we create an account in the REG.RU system (then no confirmation of ownership of the e-mail address was required). 3r3105.  
3r3-300. Without entering the verification code, register the domain habr.ru.com 3r3104. and see the full contact details of the owner [b] habr.ru . 3r3105.  
3r3108.  
Errors that were made by REG.RU could potentially lead to the leakage of a large amount of personal data of domain owners, but all the bugs were fixed very quickly. From the moment of writing the first letter (and I wrote it personally to the executive director of REG.RU) less than two days passed before fixing all the vulnerabilities, which, in my opinion, is quite a short time for a company of this size and with deadlines for fixing vulnerabilities in other corporations. 3r3116.
3r3113. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3114.
3r3116.
+ 0 -

Add comment