Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover

Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover
Written by publishing team

Skewed incentives undermine efforts to address TLD errors with comprehensive impact

updated Security researchers have revealed that attackers may have modified the name servers of any domain within the Tonga country code top-level domain (ccTLD) due to a vulnerability in the TLD registrant’s website.

With a Google search of “.to” pages yielding nearly 513 million results, the flaw gave potential miscreants a myriad of potential targets for a variety of large-scale attacks.

Fortunately, the malicious exploit was avoided as the Tonga Network Information Center (Tonic) was “quickly responsive” in fixing the bug in less than 24 hours after web security company Palisade revealed the problem, after pen testing, on October 8, 2021 Palisade’s blog reveals another .

Traffic redirection

Sam Curry and other Palisade researchers discovered a SQL injection vulnerability on the registrar’s website, whose misuse could enable attackers to obtain plain-text DNS master passwords for .to domains.

Once logged in, they can overwrite the DNS settings of these domains and redirect traffic to their website.

Read more of the latest Internet infrastructure news

According to Curry, the attacker could then steal cookies and local browser storage, thereby gaining access to victims’ sessions, among other attacks.

If an attacker seizes control of, Google’s official domain for redirects and the OAuth authentication flow, they could send engineered links that would leak authentication codes for Google accounts.

Short links security

As with .io, .to domains are widely used to create posted short links to reset user passwords, for affiliate marketing, and to direct users to company resources.

Curry suggested that link shortening services used by the likes of Amazon (, and Verizon ( could be abused by updating the “.to” pages from which tweets are posted. Huge brands connected to millions of followers on Twitter.

Curry, founder of Palisade, suggested that attackers “likely steal a very large amount of money” from users of, the official platform for buying the Tether stablecoin – even if they “control the field.” [only] for a short period of time.”

However, said Eric Gullichsen, responsible for the .to ccTLD Daily Swig That “many of the security, monitoring, and throttling systems we already have would have eliminated many of the vulnerabilities used during pen testing, had the IP addresses of security researchers not been whitelisted to enable their testing.”

“very very very bad”

Carey warned that similar vulnerabilities could lie among 1,500 or so other TLDs, and predicted that old domain name registration pages could give attackers access to “the systems used to manage all domains under a TLD which would be very, very bad”.

However, he said, skewed urges are hampering treatment efforts.

Related Security pro takes over expired DRC top-level domain, captures more than 50% of DNS traffic

“Most programs (in my opinion) are less willing to pay for vulnerabilities in dependencies that would result in widespread impact across different organizations,” he explained, noting honorable exceptions such as HackerOne’s online bounty program.

Furthermore, domain name registration service providers like Verisign cannot realistically match the likes of Google and Facebook in terms of payments.

“We agree with Sam that tightening TLD registries is a fundamental – and neglected – aspect of Internet security,” said Gullichsen, Tonga’s ccTLD Officer.

Detection possibilities

Kari says Daily Swig That malicious actors would have a “good chance” to compromise vulnerable domains undetected, depending on defensive surveillance.

“If you were to acquire something like a cryptocurrency exchange or a DeFi platform, you would just be able to copy the website and replace the wallet addresses with yours,” he said.

Larger clients like Google or Facebook are more likely to watch for such attacks, “but other than that, I imagine unless clients report issues, it will take a day or so before website owners realize their DNS has been updated”.

He adds, “There are also a lot of fun attacks where you can take over a third-party service API like a 2FA provider and use it to bypass authentication, but these are more targeted and I don’t think anyone would really try to compromise a TLD to target a specific account on a specific platform, but who knows!” “

In related news covered by Daily Swig In January, Detectify founder Frederic Almroth acquired a Democratic Republic of the Congo (.cd) ccTLD — and 50% of the TLD’s DNS traffic — after a registrar neglected to renew its ownership.

This article was updated on December 8th with comments from Eric Gullichsen, responsible for .to ccTLD

Don’t forget to read ‘Excessively lax’ authentication checks left 190 Australian organizations vulnerable to business email hack attacks

About the author

publishing team