Security bug keeps ICANN gTLD grounded

A security bug in the Top Level Domain (gTLD) registration backbone has forced the global domain name overseer ICANN to keep the platform offline.

ICANN CSO, Jeff Moss found no evidence of hacking. Image credit: ICANN.

The gTLD application system was first taken down on April 12. 

Last week ICANN said the gTLD Application System (TAS) brought down by a mysterious ‘glitch’ should be back online by April 17.

Now the organisation has called off any restoration date, instead promising a further progress update “no later” than April 27. 

The security bug allowed applicants to view names of files uploaded by other users, but crucially not the contents of the files, ICANN chief security officer and BlackHat founder Jeff Moss said,

“Under certain circumstances, users that had previously deleted a file could end up seeing the filing of another user who had uploaded a file,” Moss said. 

“It means that certain details were being revealed to users who were not seeking the data would just show up on their screen.”

Moss said the flaw affected a “minority of instances”, adding that ICANN was “in the process of winnowing that down even more to be able to tell you with much more specificity how many people.”

The downtime has forced the organisation to delay the planned 30 April unveiling of successful applicants, which numbered over 800. 

To access ICANN’s gTLD TAS system, which was meant to take applications for generic domains such as “.coke” or “.shoes”, potential applicants used a Citrix XenApp Remote Desktop virtual Windows instance.

Users first had to log into the Citrix virtual desktop and then proceed to open the TAS application in a controlled environment. ICANN provides double log-in instructions to applicants here.

Moss did not say whether the problem stemmed from ICANN’s TLD application or the Citrix virtual desktop gateway for remote users of the system  

Applicants, who were required to front up with a US$5000 registration fee and a further US$180,000 “evaluation fee” have been forced to wait over two weeks for ICANN to remediate the problem, however the organisation has yet to explain exactly what the problem is.

ICANN spokesman Andrew Robertson told iTNews it was unable to say how many Australian applicants have been affected by the glitch, nor exactly where the glitch occurred.