Confidential information exposed over 300 times in ICANN security snafu

Two months after claiming there was "no indication" that confidential information was exposed in a security cock-up, domain name overseer ICANN has admitted it happened on at least 330 occasions.

Following an audit of its main customer portal, the organization confirmed what we reported at the start of March: that misconfigured Salesforce software had given every user access to every other user's information, including financial projections, launch plans and confidential exchanges.

All any authorized user had to do was tick a box on the advanced search page to be served attachments connected to any of the more than 1,500 applications for new dot-word domains like .blog and .london, over a third of which came from the world's biggest brands.

The audit revealed that happened 330 times between 17 April, 2013, and 17 March, 2014, and impacted 96 applicants. The searches were carried out by 19 users.

ICANN's new CIO Ashwin Rangan admitted in an interview today that his org does not know if the confidential attachments were downloaded or not. Those impacted "will be informed shortly," Rangan added in a statement.

ICANN said it realizes that "any compromise of our users' data is unacceptable," and that it "deeply regrets this incident." It pledged "to accelerate our efforts to harden all of our digital services."

Incredibly, however, it appears to place blame on the users that used the advanced search feature: "ICANN is contacting the user or users who appear to have viewed information that was not their own and requiring that they provide an explanation of their activity. We are also asking them to certify that they will delete or destroy all information obtained and to certify that they have not and will not use the data or convey it to any third party."

It also said it plans to tell those affected by the security snafu who exactly had been looking at their records.

Just one of many

ICANN has a history of security breaches despite being the organization in charge of the internet's domain name system and being in line to take over the critical IANA functions, which the internet depends on for its smooth running.

A "glitch" in its application software for the hundreds of new top-level domain names back in April 2012 also allowed users to see the details of other applicants.

ICANN took down its web app for a month, and was forced to delay the launch of its landmark program that it had been working on for more than four years.

In December 2014, the organization admitted that a number of its systems had been compromised including the Centralized Zone Data System (CZDS) – where the internet core root zone files are mirrored – the wiki pages of the Governmental Advisory Committee (GAC), the domain registration Whois portal, and the organization's blog. That incident revealed that ICANN did not use even basic two-factor authentication for many of its systems.

And those are just the security breaches that ICANN has owned up to. In an extensive paper published by dot-com registry and maintainer of the internet's root zone Verisign late last year, a long list of technical and security problems at ICANN were highlighted. It noted a "growing list of examples where ICANN's operational track record leaves much to be desired." ®