Feeds

ICANN: Privates leaked in top-level domain land grab blunder

gTLD applications viewable by rival web biz barons

Secure remote control for conventional and virtual desktops

ICANN has revealed that it took down its top-level domain application system yesterday after discovering a potentially serious data leakage vulnerability.

As El Reg reported earlier today, ICANN shut down its TLD Application System (TAS) – the web application companies use to apply for new gTLDs – due to unspecified "unusual behaviour".

The organisation has now revealed that while there was no "attack" as such, it had found that some TAS users could access data belonging to other TAS users.

"We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios," COO Akram Atallah said in a statement.

"Out of an abundance of caution, we took the system offline to protect applicant data," he added. "We are examining how this issue occurred and considering appropriate steps forward."

The vulnerability has potentially serious implications due to the level of secrecy surrounding the majority of new gTLD applications.

Companies in general don't want to reveal which gTLDs they are applying for while the ICANN application window is still open. If it were revealed that Coca-Cola had applied for .drink, for example, that might prompt Pepsi to file a competing application.

Because ICANN's method of last resort for resolving these so-called "contention sets" is an auction, a prematurely revealed application could therefore wind up costing hundreds of thousands of dollars – even millions of dollars – more.

It's quite possible that gTLD strings may have been included in the leaked user names and file names, though ICANN has yet to confirm the extent of this problem.

It's also not yet known which applicants had access to which other applicants' data, and whether any of the leaked information was acted upon.

The new gTLD application window was due to close yesterday at 1159 UTC, but ICANN shut down the TAS about 12 hours before the deadline after becoming aware of the vulnerability.

The filing deadline has now been extended until next Friday, but ICANN does not plan to bring the TAS back online until Tuesday, by which time it expects to have fixed the bug. ®

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
Apple Watch will CONQUER smartwatch world – analysts
After Applelocalypse, other wristputers will get stuck in
Shades of Mannesmann: Vodafone should buy T-Mobile US
Biting the bullet would let Blighty-based biz flip the bird at AT&T
Drag queens: Oh, don't be so bitchy, Facebook! Let us use our stage names
Handbags at dawn over free content ad network's ID policy
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.