ICANN has known about the data leakage vulnerability in its TLD Application System since at least last week, according to one new top-level domain applicant.
The applicant, speaking to DI on the condition of anonymity today, said he first noticed another applicant’s files attached to his gTLD application in TAS last Friday, April 6.
“I could infer the applicant/string… based on the name of the file,” said the applicant.
He immediately notified ICANN and was told the bug was being looked at.
ICANN revealed today that TAS has a vulnerability that, in the words of COO Akram Atallah, “allowed a limited number of users to view some other users’ file names and user names in certain scenarios.”
The actual contents of the files are not believed to have been visible.
But other applicants, also not wishing to be identified, today confirmed that they had uploaded files to TAS using file names containing the gTLD strings they were applying for.
It’s not yet known how many TAS users were able to see files belonging to others, or for how long the vulnerability was present on the system.
However, it now does not appear to be something that was accidentally introduced during yesterday’s scheduled TAS maintenance.
This kind of data leakage could prove problematic — and possibly expensive — if it alerted applicants to the existence of competing bids, or caused new competing bids to be created.
ICANN shut down TAS yesterday and does not expect to bring it back online until Tuesday.
The window for filing applications, which had been due to close yesterday, has been extended until 2359 UTC next Friday night.
April 14 Update
ICANN today released a statement that said in part:
we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.
Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.
The bug that brought down ICANN’s TLD Application System yesterday was actually a security hole that leaked data about new gTLD applications.
The vulnerability enabled TAS users to view the file names and user names of other applicants, ICANN said this morning.
COO Akram Atallah said in a statement:
We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios.
Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.
Given the level of secrecy surrounding the new gTLD application process, this vulnerability ranks pretty highly on the This Is Exactly What We Didn’t Want To Happen scale.
It’s not difficult to imagine scenarios in which a TAS user name or file name contains the gTLD string being applied for.
This is important, competition-sensitive data. If it’s been leaked, serious questions are raised about the integrity of the new gTLD program.
How long was this vulnerability present in TAS? Which applicants were able to look at which other applicants’ data? Did any applicants then act on this inside knowledge by filing competing bids?
If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed by this vulnerability, ICANN is in for a world of hurt.
While Google recently confirmed its new top-level domain plans, an ICANN director has given a big hint that rival Facebook has not applied for any new gTLDs.
Because ICANN’s new conflict of interest rules require directors to recuse themselves during votes on matters affecting their own businesses, this could be taken as a pretty strong indication that Facebook is not applying for a new gTLD.
If Mann was aware of a .facebook or other Facebook gTLD bid, I think there’s a pretty strong chance she would have not have participated in the digital archery decision.
At least one director whose employer is believed to have applied for a dot-brand gTLD, IBM’s Thomas Narten, did not attend the March 28 meeting.
Sébastien Bachollet, Steve Crocker, Bertrand de La Chapelle, Ram Mohan, George Sadowsky, Bruce Tonkin, Judith Vazquez, Suzanne Woolf and Kuo-Wei Wu also did not attend.
The March 28 board meeting was the first one with new gTLD program votes that Mann has participated in since the new conflict rules were introduced in December.
The news is obviously a couple of weeks old, but I think it’s worth mentioning now in light of the fact that social networking competitor Google revealed earlier this week that it will apply for some gTLDs.
ICM Registry has applied to ICANN for the new gTLDs .sex, .porn and .adult.
If its applications are successful, the company plans to automatically block any second-level domain that is already registered in .xxx, including the Sunrise B defensive registrations.
This means if you own example.xxx, the equivalent .sex, .porn and .adult domains would be reserved until you pay a “nominal” activation fee to activate them.
As well as trademark owners, that would probably be pretty good news for owners of “premium” .xxx domains.
According to ICM, the four domains will not be permanently linked, so if you own a good .xxx you’ll be able to pay a normal registration fee then activate and sell off the three “freebies”.
Because the domains would be permanently reserved, there would be no renewal fees until you choose to activate them, which could well be the same day you sell them.
There’s a good chance these gTLDs will be contested by other applicants and objected to by governments, of course.
I’ve written more on the announcement for The Register here.
ICANN’s decision this afternoon to shut down its TLD Application System until next Tuesday was not prompted by hackers, according to the organization.
“It’s not an attack,” a spokesperson told DI.
ICANN announced within the last hour that it has extended the window for new gTLD applications until next Friday as a result of unspecified “unusual behavior” in TAS.
Speculation as to the cause has already started on social media, with some pointing to the possibility of hacking, but according to ICANN we can rule out foul play.
The immediate reaction from stressed-out applicants has been split between those laughing, those crying, and those doing both.
TAS was down for scheduled maintenance for two hours last night. According to two applicants who logged in afterwards, it was running very slowly when it came back online.
UPDATE: ICANN has just confirmed: “No application data has been lost from those who have already submitted applications, so it should not pose problems for existing applicants.”