The bug that brought down ICANN’s TLD Application System yesterday was actually a security hole that leaked data about new gTLD applications.
The vulnerability enabled TAS users to view the file names and user names of other applicants, ICANN said this morning.
COO Akram Atallah said in a statement:
We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios.
Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.
Given the level of secrecy surrounding the new gTLD application process, this vulnerability ranks pretty highly on the This Is Exactly What We Didn’t Want To Happen scale.
It’s not difficult to imagine scenarios in which a TAS user name or file name contains the gTLD string being applied for.
This is important, competition-sensitive data. If it’s been leaked, serious questions are raised about the integrity of the new gTLD program.
How long was this vulnerability present in TAS? Which applicants were able to look at which other applicants’ data? Did any applicants then act on this inside knowledge by filing competing bids?
If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed by this vulnerability, ICANN is in for a world of hurt.
While Google recently confirmed its new top-level domain plans, an ICANN director has given a big hint that rival Facebook has not applied for any new gTLDs.
Because ICANN’s new conflict of interest rules require directors to recuse themselves during votes on matters affecting their own businesses, this could be taken as a pretty strong indication that Facebook is not applying for a new gTLD.
If Mann was aware of a .facebook or other Facebook gTLD bid, I think there’s a pretty strong chance she would have not have participated in the digital archery decision.
At least one director whose employer is believed to have applied for a dot-brand gTLD, IBM’s Thomas Narten, did not attend the March 28 meeting.
Sébastien Bachollet, Steve Crocker, Bertrand de La Chapelle, Ram Mohan, George Sadowsky, Bruce Tonkin, Judith Vazquez, Suzanne Woolf and Kuo-Wei Wu also did not attend.
The March 28 board meeting was the first one with new gTLD program votes that Mann has participated in since the new conflict rules were introduced in December.
The news is obviously a couple of weeks old, but I think it’s worth mentioning now in light of the fact that social networking competitor Google revealed earlier this week that it will apply for some gTLDs.
ICM Registry has applied to ICANN for the new gTLDs .sex, .porn and .adult.
If its applications are successful, the company plans to automatically block any second-level domain that is already registered in .xxx, including the Sunrise B defensive registrations.
This means if you own example.xxx, the equivalent .sex, .porn and .adult domains would be reserved until you pay a “nominal” activation fee to activate them.
As well as trademark owners, that would probably be pretty good news for owners of “premium” .xxx domains.
According to ICM, the four domains will not be permanently linked, so if you own a good .xxx you’ll be able to pay a normal registration fee then activate and sell off the three “freebies”.
Because the domains would be permanently reserved, there would be no renewal fees until you choose to activate them, which could well be the same day you sell them.
There’s a good chance these gTLDs will be contested by other applicants and objected to by governments, of course.
I’ve written more on the announcement for The Register here.
ICANN’s decision this afternoon to shut down its TLD Application System until next Tuesday was not prompted by hackers, according to the organization.
“It’s not an attack,” a spokesperson told DI.
ICANN announced within the last hour that it has extended the window for new gTLD applications until next Friday as a result of unspecified “unusual behavior” in TAS.
Speculation as to the cause has already started on social media, with some pointing to the possibility of hacking, but according to ICANN we can rule out foul play.
The immediate reaction from stressed-out applicants has been split between those laughing, those crying, and those doing both.
TAS was down for scheduled maintenance for two hours last night. According to two applicants who logged in afterwards, it was running very slowly when it came back online.
UPDATE: ICANN has just confirmed: “No application data has been lost from those who have already submitted applications, so it should not pose problems for existing applicants.”
ICANN has extended the deadline to file new generic top-level domain applications by more than a week after its TLD Application System experienced “unusual behavior”.
TAS will be down until next Tuesday while ICANN fixes the unspecified problem, ICANN said.
Here’s the meat of ICANN’s announcement:
Recently, we received a report of unusual behavior with the operation of the TAS system. We then identified a technical issue with the TAS system software.
ICANN is taking the most conservative approach possible to protect all applicants and allow adequate time to resolve the issue. Therefore, TAS will be shut down until Tuesday at 23:59 UTC – unless otherwise notified before that time.
In order to ensure all applicants have sufficient time to complete their applications during the disruption, the application window will remain open until 23:59 UTC on Friday, 20 April 2012.
What this means for the Big Reveal, currently scheduled for April 30, is not yet clear. More when we get it.