Mastercard
,

Mastercard fixes potentially catastrophic DNS typo

It’s always DNS.

A security researcher by the name of Philippe Caturegli discovered a typo in Mastercard’s DNS records which opened possibilities for abuse and existed for years.

DNS is the Internet’s address book, mapping human-readable domain names like threatdown.com to the IP addresses computers use for networking, like 192.0.66.84. NS records are “nameserver” records that tell computers where to find DNS records for a domain.

Mastercard uses five DNS servers hosted by Akamai, and so it has five NS records, one for each DNS server, and every DNS server has a domain ending in akam.net.

However, Caturegli discovered that somebody had made a typo in one of Mastercard’s NS entries, so the record pointed to a domain ending in akam.ne instead of akam.net. What might seem like a simple typo is a colossal error—while .net is a top-level domain (TLD) administered by Verisign, .ne is the official country code top-level domain (ccTLD) maintained by the African nation of Niger.

This means that one in five requests for Mastercard nameservers would have been directed to a server outside of Mastercard’s control, opening the door for somebody else to buy the domain referenced in the NS records. The intruder nameserver could then be used to host DNS records that directed a slice of Mastercard traffic wherever its owner wanted.

For example, if a cybercriminal bought the misconfigured domain name, they could set up a mail server and intercept and send Mastercard emails; they could use it to receive Microsoft Windows authentication credentials; or they could use it to distribute malware from websites in a trusted domain.

When Caturegli discovered the typo, he registered the mistyped domain for $300 and warned Mastercard about its error.

When talking to Brian Krebs about the issue, he said he noticed that Mastercard was not the only organization that had made this typo. He noticed hundreds of thousands of DNS requests on the server he set up at his newly-acquired akam.ne domain, but Mastercard was the biggest name among the affected organizations.

The researcher, who reported the issue directly to Mastercard was clearly unsatisfied with the way the company handled it, calling it a “classic case of how not to handle vulnerability disclosure”

Mastercard responded by expressing concerns with the LinkedIn post the researcher published about the issue through Bugcrowd, and told Krebs that “there was not a risk to our systems”.

Further research by Krebs showed that the akam.ne domain had been registered before, between 2016 and 2018, by someone using a yandex.ru email address. But the typo at Mastercard likely happened after that period. Caturegli reckons it was present for over four years.

The incident is a useful reminder that there are numerous ways to abuse mistakes in DNS records. Thankfully, it’s easy to check them, too. You might want to do that now.