ICANN plans to inform each new top-level domain applicant whether they were affected by the security vulnerability in its TLD Application System, according to its latest update.
The organization has also confirmed that it is still targeting April 30 for the Big Reveal day, when it publishes (deliberately) the gTLDs being applied for and the names of the applicants.
An intensive review has produced no evidence that any data beyond the file names and user names could be accessed by other users.
We are currently reviewing the data to confirm which applicants were affected. As soon as the data is confirmed, we will inform all applicants whether they were affected.
ICANN staff and outside consultants have been working all weekend to figure out what went wrong, who it affected, and how it can be fixed.
The organization still intends to announce tonight whether it has fixed the problem to the point where it’s happy to reopen TAS to registered users tomorrow. It’s also sticking to is Friday extended submission deadline.
The new gTLD consultancy MyTLD has some ICANN TLD Application System slots going begging.
If for some reason you need to file a gTLD application and you haven’t already registered in TAS, this is what MyTLD says it is now offering:
(i) gTLD application writing and submission (ii) TAS account for the gTLD application (iii) Newly formed company corresponding to the TAS account
The company is marketing it as a bundled service.
MyTLD is most closely associated with the most prominent .music application. It’s run by Music.us owner Constantine Roussos and former ICANN internationalized domain name expert Tina Dam.
The offer is fleshed out a bit more on MyTLD’s blog.
I hear the company was shopping these TAS slots around privately prior to April 12 too, so I don’t think that it is an effort to capitalize on the security-related delays ICANN is currently experiencing.
However, one has to ask why the offer is only being publicized after the original official deadline for new gTLD applications has already passed.
TAS is expected to re-open for business on Tuesday, and close on Friday.
ICANN has known about the data leakage vulnerability in its TLD Application System since at least last week, according to one new top-level domain applicant.
The applicant, speaking to DI on the condition of anonymity today, said he first noticed another applicant’s files attached to his gTLD application in TAS last Friday, April 6.
“I could infer the applicant/string… based on the name of the file,” said the applicant.
He immediately notified ICANN and was told the bug was being looked at.
ICANN revealed today that TAS has a vulnerability that, in the words of COO Akram Atallah, “allowed a limited number of users to view some other users’ file names and user names in certain scenarios.”
The actual contents of the files are not believed to have been visible.
But other applicants, also not wishing to be identified, today confirmed that they had uploaded files to TAS using file names containing the gTLD strings they were applying for.
It’s not yet known how many TAS users were able to see files belonging to others, or for how long the vulnerability was present on the system.
However, it now does not appear to be something that was accidentally introduced during yesterday’s scheduled TAS maintenance.
This kind of data leakage could prove problematic — and possibly expensive — if it alerted applicants to the existence of competing bids, or caused new competing bids to be created.
ICANN shut down TAS yesterday and does not expect to bring it back online until Tuesday.
The window for filing applications, which had been due to close yesterday, has been extended until 2359 UTC next Friday night.
April 14 Update
ICANN today released a statement that said in part:
we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.
Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.
The bug that brought down ICANN’s TLD Application System yesterday was actually a security hole that leaked data about new gTLD applications.
The vulnerability enabled TAS users to view the file names and user names of other applicants, ICANN said this morning.
COO Akram Atallah said in a statement:
We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios.
Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.
Given the level of secrecy surrounding the new gTLD application process, this vulnerability ranks pretty highly on the This Is Exactly What We Didn’t Want To Happen scale.
It’s not difficult to imagine scenarios in which a TAS user name or file name contains the gTLD string being applied for.
This is important, competition-sensitive data. If it’s been leaked, serious questions are raised about the integrity of the new gTLD program.
How long was this vulnerability present in TAS? Which applicants were able to look at which other applicants’ data? Did any applicants then act on this inside knowledge by filing competing bids?
If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed by this vulnerability, ICANN is in for a world of hurt.
ICM Registry has applied to ICANN for the new gTLDs .sex, .porn and .adult.
If its applications are successful, the company plans to automatically block any second-level domain that is already registered in .xxx, including the Sunrise B defensive registrations.
This means if you own example.xxx, the equivalent .sex, .porn and .adult domains would be reserved until you pay a “nominal” activation fee to activate them.
As well as trademark owners, that would probably be pretty good news for owners of “premium” .xxx domains.
According to ICM, the four domains will not be permanently linked, so if you own a good .xxx you’ll be able to pay a normal registration fee then activate and sell off the three “freebies”.
Because the domains would be permanently reserved, there would be no renewal fees until you choose to activate them, which could well be the same day you sell them.
There’s a good chance these gTLDs will be contested by other applicants and objected to by governments, of course.
I’ve written more on the announcement for The Register here.