How To Take Over Almost Every .mobi Site For $20

I’ll Take “WHOIS A Domain That Should Never Be Allowed To Expire” For $500 Alex.

It can be rather annoying when your domain is about to expire, with dozens of registrars you’ve never heard of sending emails demanding you re-register with them; sometimes claiming you already owe money because they registered the site for you.  There are certs to deal with and if you are lucky DNS settings to deal with.  The same is true of sites we depend on to be trustworthy, as they are used to verify the ownership of sites, the legitimacy of emails and even TLS or SSL certificates.  If the ownership of one of those domains expires due to inattention or because the owners moved to a different domain, very bad things can happen.

This just happened with dotmobilregistry.net, which used to be the WHOIS authority for any .mobi site, not so much an address you visit as it was a top level domain used to indicate a site was optimized for mobile usage.  The owners migrated the site to whois.nic.mobi and let ownership of the old site lapse. The problem being that a huge number of devices did not know that and continued to query the old site when verifying traffic.

This was noticed, thankfully by a security researcher, who grabbed ownership of dotmobilregistry.net for $20.  That meant that he could feed whatever information he felt like to the 2.5 million queries from about 135,000 unique systems he saw over the course of a few days.  He could have generated fake TLS/SSL certificates, track emails and even trick those systems into running code when they queried the site to verify traffic.  This is officially known as a bad thing.

Thankfully he only used it to distribute ASCII art to systems querying the site, and has passed ownership onto a security company for safe keeping.  This is not the first time something like this has happened and certainly won’t be the last, so be safe out there.