American Samoa Domain Registry Was Exposing Client Data Since the Mid-1990s

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.

Much sexy

[blueshift_1]

Because there's nothing sexier than a domain registry (to the max)!

Typical case of bad corporate response

This has happened to me at least twice when disclosing security issues. They acknowledge the incident, they fix it, and then they attacked me when I published my report.

Re:Typical case of bad corporate response

[alphatel]

This has happened to me at least twice when disclosing security issues. They acknowledge the incident, they fix it, and then they attacked me when I published my report.

I once owned an AS domain. Despite the fact that they list themselves as having an office in NYC, writing to them, emailing them and calling their listed number generated no response to requests I made to have the administrative contact changed. They have no proper web interface either. I dropped my AS domain due to their complete incompetence and lack of support. Looks like that was the best move I could have made after this recent incident was made public.

Both right

Both sides are right. The registrar because the system had been discontinued, and the researcher because the registrar did not notify clients. There, settled! Now kiss and make up.

Re:Both right

The researcher disputes that the registry system had been "discontinued" and that he was able to perform WHOIS queries to very changes could be made to live .as domain records - worrying stuff!

Re:Both right

Nothing is discontinued until you pull the plug out of the wall. If it was available online... it was live.

Voting rights

[Kjellander]

How about you also give American Samoans the right to vote while you are at it?

Re:Voting rights

[TFlan91]

You just DoS'd Wikipedia's article on American Samoa.

A request to Slashdot

I saw this story in the Firehose last night. There were some apparently rejected submissions that looked more interesting but disappeared from the default view. When I view Firehose in Firefox, I don't see the slider that used to be there to change the threshold of posts that show up. Can you bring that slider back?

There seem to be a lot of interesting stories that aren't dupes but don't get posted to the front page. I suspect there are people who'd like to discuss them. In the past, it seemed like Slashdot probably posted about 150% of the amount of stories that get posted today. Is there any way that you can move the rejected non-dupe, non-spam, and non-Forbes submissions somewhere else that we can discuss them? In the past, pages for each section like YRO had an assortment of front page stories and stories that only appeared in that section. That might be a good place for stories that are interesting but don't make the cut for the front page.

Yes, I'm partially griping because my Snowden submission seems to have been rejected. But I also see a lot of interesting stuff that never gets posted and might be worth discussing somewhere. The quality of discussion would probably be better, though the comments would be fewer. My project for my statistics class in my freshman year of college demonstrated that the proportion of -1 posts on stories only on section pages was lower than front page stories in a very statistically significant manner.

Re:A request to Slashdot

You can view purple submissions from profile settings from what I remember.

Re: A request to Slashdot

You're correct. Thanks.

That does require knowing who submitted the story and it doesn't work for ACs, who seem to submit a majority of the non-spam stories now.

SHUTUP! SHUTUP!!

shut uppppppp!!

Freedom

America is synonymous with freedom. Of course this data would be freely exposed. Isn't that what you open source people want, anyway?

Information and data wants to be free for all to mooch!

Re: Freedom

So you come here just to assault open source? You are either a M$ sock puppet with Nadella's hand up your asterisk or you are just a genius.

STFU

Small country

This is what happens in small countries where everyone knows everyone. You can't fine the registrar for poor security because he's probably married to your cousin.

Horror stories

No surprise. Just search reddit for horror stories of having to move .as domains from one DNS to another. That registrar is horrendously bad.