A recent experiment conducted by researchers at Watchtowr Labs revealed some alarming security vulnerabilities in the outdated Whois service of the Domomennaya Zone registrar “.mobi”. The study was prompted by a change in the address of the Whois service, which was moved from the domain holis.dotmobiregistry.net to the new host whois.nic.mobi. The old domain dotmobiregistry.net was released in December 2023, making it available for registration.
By spending just $20 to purchase the now-defunct domain, the researchers were able to set up their own fake Whois service, Whois.dotmobiregistry.net, on their own server. Surprisingly, many systems continued to use the old domain instead of switching to the new host. Between August 30 and September 4 of this year, over 2.5 million requests were recorded coming from more than 135,000 unique systems.
These requests included those from state and military organizations, email servers, security platforms (such as Virustotal and Group-IB), certifying centers, domain verification services, SEO services, and domain registrars like Domain.com, GoDaddy, and more.
The researchers used the ability to send data in response to requests on the old Whois service to develop various types of attacks. One attack targeted systems that were still accessing the old service, assuming they were using outdated tools with vulnerabilities. For instance, vulnerabilities like CVE-2015-5243 in PHPWHOIS from 2015 allowed attackers to execute code by manipulating data returned by the server.
This experiment highlights the importance of keeping systems up to date and avoiding the use of outdated services with known vulnerabilities to ensure cybersecurity.