It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and the position to execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that’s exactly what happened recently to Benjamin Harris.
Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobilregistry.net.
The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices
“watchTowr’s research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in [our] opinion,” Harris wrote in a post documenting his research
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
My domain certs are free and handled by my service provider in Canada.
“watchTowr continues to hold concern around the basic reality: watchTowr found this on a whim in a hotel room while escaping the Vegas heat surrounding Black Hat, while well-resourced and focused nation-states look for loopholes like this every day. In watchTowr’s opinion, they are not likely to be the last to find inexcusable flaws in such a crucial process.”