July 17, 2017
Popular among startups, the .io TLD designates Indian Ocean British Territories. As for all TLDs, the .io has authoritative Name Servers (Authoritative NS) which notably index the Authoritative NS for all second-level .io domains (eg. sitespeed.io). There are seven Authoritative NS for .io (source: iana.org):
ns-a3.io 22.214.171.124 ns-a2.io 126.96.36.199 2001:678:5:0:0:0:0:1 ns-a4.io 188.8.131.52 ns-a1.io 184.108.40.206 2001:678:4:0:0:0:0:1 a0.nic.io 220.127.116.11 2a01:8840:9e:0:0:0:0:17 c0.nic.io 18.104.22.168 2a01:8840:a0:0:0:0:0:17 b0.nic.io 22.214.171.124 2a01:8840:9f:0:0:0:0:17
In early July 2017, a security engineer named Matthew Bryant received an unusual notification from a tool he was using to “map” DNS delegations for certain TLDs, one of which was .io . The tool indicated that the domain names ns-a1.io, ns-a2.io, ns-a3.io, and ns-a4.io were available for registration. Matthew Bryant ordered the registration of those four domain names out of interest and was surprised to see that the registrations were validated. As a result, this person took control of 4 of the 7 .io authoritative NS. He immediately contacted the relevant registry operator in order to draw his attention to the situation.
How could this have happened? This situation apparently originated from an error during the registry operations management transfer from .IO TLD to Afilias: the 4 domain names concerned by the transfer were not locked-down by Afilias, resulting in their availability for registration for several days before the above-mentioned registrations took place.
Things returned to normal as this article was being written. Had the registration been performed by ill-intentioned individuals, the authoritative NS takeover described above could have affected thousands of domain names registered under the .io TLD, by redirecting internet users requests to fraudulent websites for example.
A detailed article has been written by Matthew Bryant himself on thehackerblog.com