APNIC Whois Database Password Hashes Were Available for Download (risk of domain highjacking)

[LASER_oneXM]

The Asia-Pacific Network Information Centre (APNIC), the organization that manages domain name information for the Asia-Pacific region, fixed on Monday an error that exposed password hashes needed to access and edit domain ownership details.

The incident came to light on October 12 this when eBay employee Chris Barcellos spotted password hashes inside downloadable Whois information.

The researcher reached out to APNIC with the issue, and the company fixed the problem by the second day.

"Although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools," said the APNIC Deputy Director General.

Passwords could have led to domain hijacking
The exposed passwords were used to protect access to two sections of Whois records, called Maintainer and IRT objects.

As the name suggests, Maintainer objects store information on people/organizations authorized to manage a domain name. Similarly, IRT objects store information on a company's Incident Response Team, the people who handle abuse reports and security incidents.

An attacker that spotted the hashed passwords inside the downloadable Whois records could have cracked the hash and then used the password to insert his own details as the domain name maintainer and effectively take over a legitimate site.

Password hashes exposed since June 2017
APNIC said the hashed passwords were accidentally included in the category of downloadable Whois information back in June 2017, during an upgrade of the APNIC Whois database.
The organization has moved on to reset all Maintainer and IRT object passwords. APNIC said it did not find any evidence of abuse because of the recent slip-up.