The data leakage bug in ICANN’s TLD Application System was caused when applicants attempted to delete files they had uploaded, the organization has revealed.
In his latest daily update into the six-day-old TAS downtime, chief operating officer Akram Atallah wrote this morning:
ICANN’s review of the technical glitch that resulted in the TLD application system being taken offline indicates that the issue stems from a problem in the way the system handled interrupted deletions of file attachments. This resulted in some applicants being able to see some other applicants’ file names and user names.
This sounds rather like an applicant’s file names may have become visible to others if the applicant attempted to delete the file (perhaps in order to upload a revised version) and the deletion process was cut off.
Speculating further, this also sounds like exactly the kind of problem that would have been exacerbated by the heavy load TAS was under on April 12, as lots of applicants simultaneously scrambled to get their gTLD bids finalized to deadline.
Rather than being a straightforward web app, TAS is accessed via Citrix XenApp virtual machine software, which provides users with an encrypted tunnel into a Windows box running the application itself.
As you might expect with this set-up, performance issues have been observed for weeks. Every applicant logged into TAS last Thursday reported that it was running even more slowly than usual.
A security bug that only emerged under user load would have been relatively tricky to test for, compared to regular penetration testing.
But ICANN had some good news for applicants this morning: it thinks it will be able to figure out not only whose file names were leaked, but also who they were leaked to. Atallah wrote:
We are also conducting research to determine which applicants’ file names and user names were potentially viewable, as well as which applicants had the ability to see them.
This kind of disclosure would obviously be beneficial to applicants whose data was compromised.
It may also prove surprising and discomfiting to some applicants who were unwittingly on the receiving end of this confidential data but didn’t notice the rogue files on their screens at the time.
ICANN still plans to provide an update on when TAS will reopen for business this Friday. It will also confirm at the time whether it is still targeting April 30 for the Big Reveal.