Turkmenistan TLD Leaks Domain Data, Unencrypted Passwords

A group of pentesters in Iran have successfully breached Turkmenistan’s Domain Registry and gained access to the name-server management console for the registered .tm domains.

The hackers say they found a way to inject SQL code in hidden form fields with insufficient validation and input sanitization. The attack yielded a complete database dump, which one would expect to contain customer names, e-mail addresses and hashed passwords. Wrong. Just like the Romanian Domain Registry RoTLD, the Turmeni website was also storing passwords in plain text, readily available for abuse.

“In the term of data gathering, we made the attack automatically and dumped all the database. Another considerable note was the passwords, they have been saved in clear text and this is an unacceptable issue for a NIC of a country,” reads the blog post (since it contains the actual dump, we won’t be linking to it here).

Among domains registered with the nic.tm website are youtube.tm, gmail.tm, intel.tm, orkut.tm, google.tm, yahoo.tm and other zillion-user-per-day sites. Since authentication to the NS management control panel is done via e-mail address and password (both leaked in plain-text), the impact of the incident is easy to grasp: an attacker could pick up any domain name from the list, craft a phishing page, then hijack the DNS entries in the control panel to the server that hosts the phony page.

It’s 2013 and most programming languages have built-in support for the most popular (and even most obscure) digest algorithms. It only takes a couple of lines to import and use the library, making the e-world a better place for your customers.

PS: If you happen to grab a copy of the leaked data, have a look at how secure the password used by world’s most prominent technology makers are.

Now, repeat after me: account security – you’re doing it wrong.