ICANN knew about TAS security bug last week

ICANN has known about the data leakage vulnerability in its TLD Application System since at least last week, according to one new top-level domain applicant.
The applicant, speaking to DI on the condition of anonymity today, said he first noticed another applicant’s files attached to his gTLD application in TAS last Friday, April 6.
“I could infer the applicant/string… based on the name of the file,” said the applicant.
He immediately notified ICANN and was told the bug was being looked at.
ICANN revealed today that TAS has a vulnerability that, in the words of COO Akram Atallah, “allowed a limited number of users to view some other users’ file names and user names in certain scenarios.”
The actual contents of the files are not believed to have been visible.
But other applicants, also not wishing to be identified, today confirmed that they had uploaded files to TAS using file names containing the gTLD strings they were applying for.
It’s not yet known how many TAS users were able to see files belonging to others, or for how long the vulnerability was present on the system.
However, it now does not appear to be something that was accidentally introduced during yesterday’s scheduled TAS maintenance.
This kind of data leakage could prove problematic — and possibly expensive — if it alerted applicants to the existence of competing bids, or caused new competing bids to be created.
ICANN shut down TAS yesterday and does not expect to bring it back online until Tuesday.
The window for filing applications, which had been due to close yesterday, has been extended until 2359 UTC next Friday night.
April 14 Update
ICANN today released a statement that said in part:

we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.
Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.

1 Comment Tagged: data leakage, ICANN, new gTLDs, security, tas

It’s worse than you thought: TAS security bug leaked new gTLD applicant data

The bug that brought down ICANN’s TLD Application System yesterday was actually a security hole that leaked data about new gTLD applications.
The vulnerability enabled TAS users to view the file names and user names of other applicants, ICANN said this morning.
COO Akram Atallah said in a statement:

We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios.
Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward.

Given the level of secrecy surrounding the new gTLD application process, this vulnerability ranks pretty highly on the This Is Exactly What We Didn’t Want To Happen scale.
It’s not difficult to imagine scenarios in which a TAS user name or file name contains the gTLD string being applied for.
This is important, competition-sensitive data. If it’s been leaked, serious questions are raised about the integrity of the new gTLD program.
How long was this vulnerability present in TAS? Which applicants were able to look at which other applicants’ data? Did any applicants then act on this inside knowledge by filing competing bids?
If it transpires that any company filed a gTLD application specifically in order to shake down applicants whose data was revealed by this vulnerability, ICANN is in for a world of hurt.

7 Comments Tagged: data leakage, ICANN, new gTLDs, security, tas

Facebook gTLD ruled out by ICANN director vote?

While Google recently confirmed its new top-level domain plans, an ICANN director has given a big hint that rival Facebook has not applied for any new gTLDs.
Director Erika Mann, head of EU policy at Facebook in Brussels, voted on ICANN’s “digital archery” method of batching new gTLD applications at the ICANN board meeting March 28.
Because ICANN’s new conflict of interest rules require directors to recuse themselves during votes on matters affecting their own businesses, this could be taken as a pretty strong indication that Facebook is not applying for a new gTLD.
If Mann was aware of a .facebook or other Facebook gTLD bid, I think there’s a pretty strong chance she would have not have participated in the digital archery decision.
At least one director whose employer is believed to have applied for a dot-brand gTLD, IBM’s Thomas Narten, did not attend the March 28 meeting.
Sébastien Bachollet, Steve Crocker, Bertrand de La Chapelle, Ram Mohan, George Sadowsky, Bruce Tonkin, Judith Vazquez, Suzanne Woolf and Kuo-Wei Wu also did not attend.
The March 28 board meeting was the first one with new gTLD program votes that Mann has participated in since the new conflict rules were introduced in December.
The news is obviously a couple of weeks old, but I think it’s worth mentioning now in light of the fact that social networking competitor Google revealed earlier this week that it will apply for some gTLDs.

Comment Tagged: facebook, google, ICANN, new gTLDs

ICM confirms three porn gTLD bids

ICM Registry has applied to ICANN for the new gTLDs .sex, .porn and .adult.
If its applications are successful, the company plans to automatically block any second-level domain that is already registered in .xxx, including the Sunrise B defensive registrations.
This means if you own example.xxx, the equivalent .sex, .porn and .adult domains would be reserved until you pay a “nominal” activation fee to activate them.
As well as trademark owners, that would probably be pretty good news for owners of “premium” .xxx domains.
According to ICM, the four domains will not be permanently linked, so if you own a good .xxx you’ll be able to pay a normal registration fee then activate and sell off the three “freebies”.
Because the domains would be permanently reserved, there would be no renewal fees until you choose to activate them, which could well be the same day you sell them.
There’s a good chance these gTLDs will be contested by other applicants and objected to by governments, of course.
I’ve written more on the announcement for The Register here.

Comment Tagged: .adult, .sex, ICANN, icm registry, new gTLDs, porn, xxx

TAS glitch “not an attack” says ICANN

ICANN’s decision this afternoon to shut down its TLD Application System until next Tuesday was not prompted by hackers, according to the organization.
“It’s not an attack,” a spokesperson told DI.
ICANN announced within the last hour that it has extended the window for new gTLD applications until next Friday as a result of unspecified “unusual behavior” in TAS.
Speculation as to the cause has already started on social media, with some pointing to the possibility of hacking, but according to ICANN we can rule out foul play.
The immediate reaction from stressed-out applicants has been split between those laughing, those crying, and those doing both.
TAS was down for scheduled maintenance for two hours last night. According to two applicants who logged in afterwards, it was running very slowly when it came back online.
UPDATE: ICANN has just confirmed: “No application data has been lost from those who have already submitted applications, so it should not pose problems for existing applicants.”

2 Comments Tagged: ICANN, new gTLDs, tas

Breaking: ICANN extends new gTLD application window after technical glitch

ICANN has extended the deadline to file new generic top-level domain applications by more than a week after its TLD Application System experienced “unusual behavior”.
TAS will be down until next Tuesday while ICANN fixes the unspecified problem, ICANN said.
Here’s the meat of ICANN’s announcement:

Recently, we received a report of unusual behavior with the operation of the TAS system. We then identified a technical issue with the TAS system software.
ICANN is taking the most conservative approach possible to protect all applicants and allow adequate time to resolve the issue. Therefore, TAS will be shut down until Tuesday at 23:59 UTC – unless otherwise notified before that time.
In order to ensure all applicants have sufficient time to complete their applications during the disruption, the application window will remain open until 23:59 UTC on Friday, 20 April 2012.

What this means for the Big Reveal, currently scheduled for April 30, is not yet clear. More when we get it.

12 Comments Tagged: ICANN, new gTLDs, tas

Pool.com offers $25k gTLD digital archery service

Domain name drop-catcher Pool.com hopes to make a quick buck out of ICANN’s new generic top-level domain application batching process.
The company has announced a Digital Archery Engine service, which it says could help new gTLD applicants get their applications near the top of the evaluation queue.
It’s based on Pool’s experience catching expiring names to auction, and ICANN’s controversial “digital archery” method of allocating applications into batches for processing.
Getting into the first batch of 500 applications is expected to knock at least five months off the wait time for new gTLD approval, delegation and launch. For many applicants, this time-to-market advantage is important.
But it’s not cheap. If Pool gets your application into the first batch it will set you back $25,000. If you’re in the top 50% of applications, the price tag is $10,000. Anything slower is free.

2 Comments Tagged: batching, digital archery, ICANN, new gTLDs, pool.com

Domain hijack leads to registrar shutdown threat

ICANN has threatened to terminate Chinese domain name registrar eName Technology after the domain 1111.com was allegedly hijacked.
According to ICANN’s notice of breach (pdf), eName has refused to hand over data documenting the transfer of 1111.com as required by the Registrar Accreditation Agreement.
ICANN claims that when it tried to get eName’s help investigating a hijacking complaint, the company did not return its calls or emails.
The registrar now has 15 days to provide the transfer records as called for by the Inter-Registrar Transfer Policy.
According to historical Whois records, 1111.com was transferred to eName between February 12 and 16 this year. After a complaint, ICANN started chasing eName for the data on February 28.
The domain appears to have been owned by at least four different parties and three different registrars – Network Solutions, then Joker, then eName – since the start of 2012.
It’s the second time that ICANN has sent a breach notice to a registrar over an alleged mishandling of a domain name hijacking, and the first time it’s actually named the domain in question.
In February, the organization threatened Turkish registrar Alantron with the suspension of its contract over the botched handling of pricewire.com.

5 Comments Tagged: 1111.com, compliance, ename, hijacking, ICANN, raa

TLDH wins .london contract, gets hacked

Top Level Domain Holdings has won the exclusive contract to apply to ICANN for the .london generic top-level domain, it has just been announced.
The deal was awarded by Dot London Domains, a subsidiary of official city PR agency London & Partners, to Minds + Machines Ltd, TLDH’s London-based subsidiary.
M+M will assist with the application and, assuming ICANN delegates .london, the registry infrastructure for at least seven years, with a three-year renewal option.
The application fees will be paid by L&P, according to TLDH chairman Peter Dengate Thrush.
The good news was soured slightly by an apparent hacking of TLDH’s web site by Viagra spammers this morning. According to the Google Cache, when the news broke, tldh.org looked like this:

TLDH is listed on London’s Alternative Investment Market.
It also has an office here, though its senior executives are based in the US and the company is registered in the tax haven of the British Virgin Islands.
I’d previously tagged .uk registry Nominet as the favorite to win the contract, but the company said today that it withdrew its bid last week.
APRIL 12 UPDATE
TLDH denies it got hacked yesterday. According to a spokesperson, there was an incident last August that may have been responsible for the Google Cache continuing to show Viagra spam for tldh.org yesterday.
From the explanation provided, it sounds like it was probably what’s sometimes known as a “conditional hack”, a difficult-to-detect attack whereby only the GoogleBot sees the spam SEO links.
The TLDH web site itself apparently never showed the links to visitors. Indeed, I only looked at the cache because tldh.org refused to load up for me yesterday morning.
The spokesperson maintained that the problem was sorted out last August and that TLDH has no idea why the Google Cache was showing the spam links in its cached page dated April 11, 2012.

1 Comment Tagged: .london, dot london domains, london & partners, m+m, Minds + Machines, tldh, top level domain holdings

Three-way legal fight over .eco breaks out

Planet.eco, an emergent .eco gTLD applicant with a trademark on “.eco” is suing two rival applicants for trademark infringement and cybersquatting in a California court.
The company sued DotEco (affiliated with Minds + Machines and Top Level Domain Holdings), along with CEO Fred Krueger, and Canada-based Big Room on March 2.
It’s looking for millions of dollars of damages and an injunction preventing both rival applicants from applying for .eco.
In late March, DotEco filed a counter-suit, alleging that Planet.eco’s .eco trademark was fraudulently obtained and that the company is trying to illegally stifle competition for the .eco gTLD.
That’s the short version. It’s a complex story with a great deal of history and more than a little bogus behavior.
DomainIncite PRO subscribers can read the full DI analysis, along with more PDFs than you could ever possibly need, here.
(Thanks to reader Tom Gilles for the tip)

7 Comments Tagged: .eco, big room, cybersquatting, doteco, ICANN, m+m, Minds + Machines, new gTLDs, planet.eco, tldh, top level domain holdings, trademarks