APNIC resets passwords after whois credentials spill

By

Accidentally published hashed passwords.

Regional internet registry for Australia APNIC has been forced to reset all passwords for objects in its whois database after a technical error leaked hashed authentication credentials.

APNIC resets passwords after whois credentials spill

APNIC upgraded its whois database - which carries information about organisations and people who have been allocated internet-numbered networks, and who can alter the data published in it - in June this year. 

In the process, APNIC accidentally included hashed authentication details for the whois Maintainer and Incident Response Team (IRT) objects in the database in the downloadable data feed the registry publishes.

But the passwords were hashed with relatively weak cryptographical authentication methods such as the UNIX crypt-pw, which limits passwords to just eight characters in length. APNIC admitted there was a "possibility that passwords could have been derived from the hash if a malicious actor had the right tools".

If an attacker had cracked the hashes and obtained the passwords for the objects in the database, they could have altered whois details and temporarily re-routed IP-numbered networks from their owners.

The error was only discovered this month after security researchers from eBay's red team reported it to APNIC.

APNIC removed the passwords from the whois data feed and reset all Maintainer and IRT passwords earlier this month.

The registry continues to analyse its log files for network resource holder activity, and said it has not found evidence of any irregularities. 

There is no connection between the whois Maintainer and IRT resource objects credentials leak and MyAPNIC portal login credentials; users of the latter do not need to reset their passwords.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul

Exetel fined $694k over system 'vulnerability' for mobile number porting

Exetel fined $694k over system 'vulnerability' for mobile number porting

Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors

Log In

  |  Forgot your password?