The problem allowed unauthorized access to the security software Register.com and its business partners use to manage Internet site information, such as a customer's contact information or the numerical address associated with a domain name. Spokeswoman Shonna Keogan said the security vulnerability was fixed today.
The security hole could have allowed someone to hijack any Web site that had been registered through Register.com, said Dan Nijs, a Register.com customer. Nijs, a Web site administrator, discovered the security hole.
Hijacking, in which visitors to a Web site are redirected to another of an attacker's choosing, has plagued sites such as Internet.com and RSA Security.
"We're really glad we were able to find out about the hole before any serious damage was done to anybody's domain information," Keogan said.
Nijs found to his dismay this week that he could get access to this privileged software just by copying a Web site out of records that catalog who visits a site. The information was contained in standard "referer" logs that record previously browsed Web addresses. One entry in the log was for Register.com's Web-based administration tool, Nijs said, which came complete with authentication information, or the equivalent of a password.
"If I was the only one who knew about it, it would be no problem," Nijs said. But the vulnerability isn't that hard to take advantage of, he added. "Anyone who knew about this could have shut down a million Web sites."
Nijs found he could get access to Register.com's own domain name information. He said that he also successfully changed his own Internet site's information. Register.com, however, said that the Nijs couldn't have accessed Register.com's own information through the vulnerability. In addition, the company said the vulnerability allowed only some types of changes, meaning that Nijs overestimated the degree of damage that could be done.
Register.com has registered about 1.5 million Internet addresses; the largest Net name registrar is Network Solutions.
Elias Levy, a security expert who runs the Bugtraq mailing list where Nijs described the problem today, said the bug was a result of sloppy programming on Register.com's part. "They didn't take the security aspect of referers into account," he said.
But Register.com isn't the first to suffer from the dangerous combination of refers and Web-based services that record authentication information in their Web addresses. Web-based email providers also have suffered from overly descriptive Web addresses that allow unauthorized access.
Nijs said a more devious but difficult exploitation of the Register.com vulnerability could have allowed a person to change email routing information. By doing so, a person could intercept all the email a company received, gather information, and then forward the emails to the company. This would make it harder for the company to know someone was snooping around their communications.