TAS bug hit over 100 new gTLD applicants
It just keeps getting worse.
ICANN’s TLD Application System security bug could have revealed file names belonging to 105 new gTLD applicants to 50 other applicants on 451 occasions, according to the organization.
With 1,268 applicants in the system, those numbers certainly fit with the “a minority of applicants” description previously given, but it still shows that the bug was widespread.
The supplied numbers are “approximate”, but ICANN said it is “continuing to review system logs and packet-level traffic to confirm how many viewings actually did occur.”
The latest news means, for example, that 50 new gTLD applicants may have had the ability to see information belonging to other applicants on average nine times each.
While the new data may not strongly suggest that the bug was deliberately exploited by any applicant(s), it’s not inconsistent with that scenario.
It could mean that one applicant saw the details of 56 others (suggesting exploitation), but it could also mean that 50 applicants saw about two third-party file names each (suggesting accidental viewing).
Without further information, it’s impossible to know.
ICANN has not revealed, and is unlikely to reveal in the short term, whether any applicant was able to view the metadata of another applicant for the same gTLD.
The organization has however started to notify affected applicants whether they were affected as victim or beneficiary, according to the latest update from chief operating officer Akram Atallah.
Atallah also revealed that TAS had 95,000 file attachments in the system when it was taken down April 12.
At an average of 75 files per TAS account, this would support the idea that, on average, each TAS account was being used to file more than one application.
ICANN still plans to wrap up the notification process before next Tuesday, May 8, but there’s no word yet on when TAS will reopen for the final five days of the application window.
5 days is not enough – given the time they’ve been down…. heck – we’ve got teams to assemble, leave/trips to cancel and all kinds of stuff to organise….
You only had 12 hours before TAS went down. What’s changed?
have to go through everything that has already been submitted for one…
Every single answer will need to be checked as will every single file.
Don’t trust ICANN’s “no data was lost” statement then?
Probably a very wise decision.
Calvin,
If you automate the process by using the ‘Compare Document’ feature of Word (or some similar document comparison software) you should be able to quickly see if your TAS data corresponds to your source documents. We did this pre-April 12 and it can be done in a few hours.
I think ICANN recognize that system load could be high when it reopens and are beefing performance up accordingly. We’re expecting system speed to be acceptable – but we’ll all get a handle on that when it reopens.
Richard – yup – there are ways of automating checks. Naturally one would do this…
I guess the real question is: what is a reasonable time to stay open once TAS comes back up? my take: the longer it takes to come up, the longer is should stay open.
The longer it stays open the longer there is for something to go wrong. There were 12 hours to go when it went offline. I’d give applicants those 12 hours back — and I’d give them another 24 hours to check that their previously entered data is intact.
So I think 36 hours would be fine. The five days they’ve allocated is more than enough.