ICANN knew about TAS security bug last week

Kevin Murphy, April 13, 2012, 15:03:01 (UTC), Domain Registries

ICANN has known about the data leakage vulnerability in its TLD Application System since at least last week, according to one new top-level domain applicant.

The applicant, speaking to DI on the condition of anonymity today, said he first noticed another applicant’s files attached to his gTLD application in TAS last Friday, April 6.

“I could infer the applicant/string… based on the name of the file,” said the applicant.

He immediately notified ICANN and was told the bug was being looked at.

ICANN revealed today that TAS has a vulnerability that, in the words of COO Akram Atallah, “allowed a limited number of users to view some other users’ file names and user names in certain scenarios.”

The actual contents of the files are not believed to have been visible.

But other applicants, also not wishing to be identified, today confirmed that they had uploaded files to TAS using file names containing the gTLD strings they were applying for.

It’s not yet known how many TAS users were able to see files belonging to others, or for how long the vulnerability was present on the system.

However, it now does not appear to be something that was accidentally introduced during yesterday’s scheduled TAS maintenance.

This kind of data leakage could prove problematic — and possibly expensive — if it alerted applicants to the existence of competing bids, or caused new competing bids to be created.

ICANN shut down TAS yesterday and does not expect to bring it back online until Tuesday.

The window for filing applications, which had been due to close yesterday, has been extended until 2359 UTC next Friday night.

April 14 Update

ICANN today released a statement that said in part:

we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.

Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.

Tagged: , , , ,

Comments (1)

  1. Presumably ICANN’s TAS system keeps system logs of all activity. Folks could easily make a DIDP request for disclosure of those logs, in order to identify which users were exploiting the vulnerability. ICANN would have 30 days to respond to the DIDP request.

    ICANN has 1 day left to respond to a DIDP request I made on March 15th regarding correspondences NOT posted to the official correspondence page.

    The DIDP has been underutilized. If enough folks utilized it, ICANN would be dragged kicking and screaming into a more accountable and transparent age.

Add Your Comment