Latest news of the domain name industry

Recent Posts

It’s worse than you thought: TAS security bug leaked new gTLD applicant data

Kevin Murphy, April 13, 2012, 08:30:36 (UTC), Domain Registries

The bug that brought down ICANN’s TLD Application System yesterday was actually a security hole that leaked data about new gTLD applications.

The vulnerability enabled TAS users to view the file names and user names of other applicants, ICANN said this morning.

COO Akram Atallah said in a statement:

We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios.

Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.

Given the level of secrecy surrounding the new gTLD application process, this vulnerability ranks pretty highly on the This Is Exactly What We Didn’t Want To Happen scale.

It’s not difficult to imagine scenarios in which a TAS user name or file name contains the gTLD string being applied for.

This is important, competition-sensitive data. If it’s been leaked, serious questions are raised about the integrity of the new gTLD program.

How long was this vulnerability present in TAS? Which applicants were able to look at which other applicants’ data? Did any applicants then act on this inside knowledge by filing competing bids?

If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed by this vulnerability, ICANN is in for a world of hurt.

Tagged: , , , ,

Comments (7)

  1. John Smith says:

    What is the difference between a North Korean rocket and the ICANN new gTLD project?

    – The North Korean rocket takes off before crashing…

  2. John Berryhill says:

    “It’s not difficult to imagine scenarios…”

    “If it transpires that…”

    I love news publications that include daily horoscopes.

      • John Berryhill says:

        The “…” indicates the rest of the sentence:

        “If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed…”

        You are now saying this came true? Where? You cite once source who noticed and duly reported it. Your speculation is that someone exploited it. You have not established that such a thing has “come true”, and that was the proposition you posed in the sentence I quoted.

        How many times “who saw what” is likely going to be apparent from an analysis of the system event logs, in view of the scenario (generation of at least one of several system errors).

        • Kevin Murphy says:

          Fair cop, John.

          You got me.

          From now on, I’ll only explain what happened and not attempt to give any context about why it might be important.

          • Avtal says:

            Kevin,

            Here’s how the big names at the Wall Street Journal and the New York Times do it:
            “An observer noted that it’s not too difficult to imagine scenarios…”
            “An analyst observed that if it transpires that…”

            The sentences become more awkward, and you either have to invent analysts/observers or find some that will actually say these things. But doing this will magically protect you against charges of practicing astrology without a license.

            By the way, the WSJ yesterday referred to you as “a respected industry commentator” (see http://blogs.wsj.com/digits/2012/04/12/icann-forced-to-delay-web-domain-deadline/). Congratulations!

          • Avtal says:

            On second thought: Please ignore the first half of my previous post. As a Respected Industry Commentator, you should of course comment however you wish. Please keep up the great work!

            P.S. to John Berryhill: In observance of the upcoming 4-20 events, you might consider whether you should stop harshing Kevin’s mellow.

Add Your Comment