Como–D'oh! Infosec duo exploits OCR flaw to nab a website's HTTPS cert

Pair abused typo blind spot to game certificate authority

Image: Seinfield. Credit: NBC.

Two European security researchers exploited Comodo's crappy backend systems to obtain a HTTPS certificate for a domain they do not own.

That cert could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks.

The infosec bods, Florian Heinz and Martin Kluge, found that the CA uses optical character recognition (OCR) software to process requests for certificates. This image-recognition system is designed to ensure server-side certs are only sent to the registered owner of that domain.

Comodo uses OCR to parse screen grabs of records from domain-name registries or registrars when verifying the ownership of a website. Thanks to shortfalls in the OCR system used, Comodo can fail to distinguish an authentic domain name from one with similar characters (such as the number "1" instead of the letter "l") and end up giving valid certificates to owners of the fake domain.

Comodo says that upon hearing from the researchers, it suspended the use of the OCR software and will be reviewing certificates it issued using the optical recognition tools between July 27 and September 28 of this year.

The issue, it seems, is due to privacy protections in place on the .eu and .be domains. In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses. Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot.

Comodo, meanwhile, normally relies on the automated WHOIS lookup to verify its applications. When a person requests a certificate via email, the CA gets the contact information from the WHOIS lookup and sends a verification message to that address, at which point the applicant would click a link to verify they own that domain and obtain their certificate.

When the owner's address can't be read automatically for .be and .eu domains, Comodo instead uses the OCR to match the characters, and here is where the researchers found their weak point.

By registering a domain name similar to that of their target (an Austrian service provider), they were able to send Comodo's application system a request for a certificate for the targeted domain. Failing to spot the one character difference (the letter "l" and number "1"), the system errantly sent a verification email to the researchers' domain believing it to be the one listed in the WHOIS report.

According to Comodo's incident report, the researchers contacted it directly on September 23 and upon verifying the issue, the OCR system was disabled. So far, no other incidents of fake certificate registrations have been found. ®


Biting the hand that feeds IT © 1998–2017