the m group security advisory [2017090100]

Zero-confirmation inter-account transfers of .uk domains with eNom

Vendor description

eNom is one of the world's largest domain registrars holding over 15 million domain names as well as offering a host of domain and hosting related services. eNom are also a large internet reseller, powering at least part of the domain name registration systems for many registrars including NameCheap.

https://www.enom.com

eNom were recently acquired by Tucows

Vulnerability & description

Update: eNom have disabled inter-account .uk transfers as of 2017-09-02 which mitigates this issue. Inter-account .uk transfers are no longer vulnerable as they are no longer possible without manual assistance from eNom. The details below are for reference only.

eNom allows zero-confirmation .uk domain transfers between reseller accounts. This bypasses all account security and usual domain transfer authorisation. Combined with instant IPS tag changes at Nominet, the .uk regional registrar, .uk domains can be hijacked within minutes and placed into a state where only a manual access restoration procedure with Nominet can recover the domains.

This vulnerability is accessible to and impacts anyone with an eNom account or anyone with an account with an eNom reseller which provides automated domain transfers.

The vulnerability is within eNom's .uk transfer system and impacts .uk domains only. It does not impact second level .??.uk domains such as .co.uk and .org.uk.

Steps to reproduce

  1. Open an account with eNom or with an eNom reseller with integrates with eNom over their APIs, for example NameCheap.
  2. Identify a .uk domain managed by eNom. Any .uk domain with an IPS tag set to ENOM is vulnerable.
  3. Issue an inbound transfer request from the reseller.
  4. Within a few minutes the .uk domain will "successfully complete" transfer to your reseller account with no notice given to the original owner and no confirmation of any kind required.
  5. (optional) Immediately transfer the domain elsewhere by changing the IPS tag and registrant email address making the domain extremely difficult if not impossible to recover without a manual intervention by Nominet.

Testing

Confirmed with domain hijacking between NameCheap and eNom using test domains. The eNom platform and all eNom resellers are assumed to be vulnerable.

Solution

This vulnerability is with a remote hosted platform therefore there is no available local solution until eNom resolve the security issue.

Work-around

Transfer all .uk domains away from eNom. Any .uk domains with the IPS tag set to ENOM should be transferred away from eNom immediately.

NOTE: during our own domain migrations away from eNom it was discovered that eNom do not update .uk contact details in certain instances in their own control panel. This can cause domains to appear to have valid registrant contact email addresses but they actually have incorrect details stored at Nominet. Domains which have their IPS tags changed to push them away from eNom can then be left in a permanently locked and useless state as authorisation emails sent to invalid registrant contact addresses can never be authorised.

It is critical that registrant contact details be force-updated from eNom's control panel before you change the IPS tags even if the contact details look correct or you may be required to manually contact Nominet (and pay a fee) to restore your domain. You can verify your .uk registrant contact details directly with Nominet by opening a Nominet Online Services account for free.

Vendor contact timeline

Apologies in advance for the length of the contact timeline summary.

2017-05-02 (initial report) - During routine domain transfers we noticed a large block of .uk domains vanished from our eNom reseller account without confirmation or logs. The original zero-confirmation inter-account .uk domain transfer issue was reported to eNom.

2017-05-03 (+1 day) - the m group contact eNom support by phone after no response to our ticket and were informed the issue would be looked into. We were advised to try transferring the domains back to our account. Our test transfer of a .uk domain fails as eNom are now enforcing a 60 day ICANN transfer lock within eNom.

2017-05-03 (+1 day) - Written response from eNom that the issue will need to be looked into by their registry developers and that we should wait to hear from them.

2017-05-04 (+2 days) - Written update that eNom are still looking into the issue. eNom confirm the domains are now transfer locked after being removed from our reseller account.

2017-05-08 (+6 days) - the m group request an update. The .uk domains are still missing from our account.

2017-05-16 (+14 days) - Written update from eNom that they are still looking into the issue. eNom have been advised by their developers that they do not issue authorisation emails for inter-account or inter-reseller .uk transfers.

2017-05-16 (+14 days) - the m group contact eNom by phone to request an update on our missing domains and to express the severity of the issue. We request in writing how inter-reseller .uk transfers are meant to be authenticated if eNom to not issue authorisation emails or apparently perform any other checks of any kind.

2017-05-29 (+27 days) - the m group request an update from eNom via a phone call. We formally demand that either the domains be returned to our reseller account or that eNom provide transfer logs of the authorised transfers. We re-stress that this security issue must impact all of their clients and the severity if the issue.

2017-05-29 (+27 days) - Written update from eNom that they do not currently have enough information. They repeat an understanding how pressing the issue is, however they are unable to suggest any way to move the domains back to our reseller account or provide transfer logs. eNom are unable to detail how the transfers occurred in the first place, however eNom confirm they have been in contact with their developers.

2017-05-31 (+29 days) - eNom close our support ticket.

2017-05-31 (+29 days) - the m group re-open the support ticket and re-request an update. We re-stress the severity of the apparent issue and that it impacts all eNom customers and resellers.

2017-06-11 (+40 days) - Written update from eNom that they have "worked with NameCheap" and they can report that all of the domains "were transferred to Namecheap successfully".

2017-06-12 (+41 days) - the m group re-iterate the original issue. The domains were not transferred successfully and they were removed from our reseller account without any authorisation or confirmation. We provide detailed steps to reproduce the problem and again demand that we must have either the domains returned to our account or that transfer logs be provided for the transfers. We re-stress that this issue must impact all .uk inter-account transfers for a fourth time and that they may wish to escalate this to someone to can look into the issue.

2017-06-15 (+44 days) - Written update from eNom that they had misunderstood the previous message. eNom have mistakenly come to the conclusion that our reseller account may have been compromised and place transfer restrictions on our account. This restriction blocks the m group from transferring any domains away from eNom. eNom request that we contact their account team to restore our reseller account. This is a critical misunderstanding of the issue, the security flaw is with the eNom .uk transfer process and not with our account which has no indications of being compromised in any way.

2017-06-15 (+44 days) - the m group stress that there is absolutely no evidence our account has been compromised and that this is an issue with eNom's .uk inter-reseller transfer system itself. We request that eNom immediately remove all security restrictions on our account.

2017-06-15 (+44 days) - Written update from eNom that they are still looking into the issue.

2017-06-15 (+44 days) - the m group re-detail the issue and that eNom need to either restore the domains to our account or provide transfer logs.

2017-06-15 (+44 days) - Written confirmation from eNom that senior staff are looking into the issue. eNom request if the m group are disputing the original transfers of the domains which vanished without confirmation from our account.

2017-06-15 (+44 days) - the m group contact Nominet, the .uk regional registrar, to report our ongoing issues with eNom and the status of the security impact of eNom's handling of .uk domains.

2017-06-16 (+45 days) - the m group notify eNom in writing that they do not formally dispute the transfers as this would imply the transfer authorisation was fraudulent rather than non-existent. We re-stress that this is not an account security issue but a flaw with the eNom .uk transfer process. We request an update on when this issue will be resolved.

2017-06-16 (+45 days) - Written confirmation from eNom that they confirm this is a security issue with .uk transfers and they will update us when they know more.

2017-06-16 (+45 days) - the m group acknowledge the confirmation of the security issue and request a statement confirming a security issue that we can share with our clients who have been impacted by the unauthorised domain transfers.

2017-06-16 (+45 days) - Written update from eNom they confirm they should be sending confirmation transfer emails for inter-reseller .uk transfers, but are not sending any at the moment. eNom write that they will keep us updated.

2017-06-17 (+46 days) - the m group perform independent testing by opening a test NameCheap account and issuing a transfer request for a test domain on our eNom reseller account. The test is successful and the .uk domain is immediately transferred without confirmation to our NameCheap account. We inform eNom of our testing including with transfer and order numbers for them to confirm. Given this is confirmed with direct testing and eNom have confirmed it's a security issue with their .uk transfer process we request if eNom have a bug bounty program.

2017-06-17 (+46 days) - Written confirmation from eNom that they have forwarded details of our testing to their engineers and that eNom do not have a bug bounty program.

2017-06-27 (+56 days) - the m group request an update. We have had no reply from eNom's account team and our account is still under an erroneous transfer security lock. We contact eNom by phone and support ticket detailing that there are no security concerns with our account and that the account was restricted erroneously. We are informed that only their account team and remove the restriction and they cannot assist further. The m group has had no reply from eNom's account team.

2017-06-29 (+58 days) - Written confirmation from eNom that they have engineers looking to make code changes to resolve the inter-account transfer issue. eNom confirm that all inter-account .uk transfers are impacted, but they can confirm this does not impact .uk transfers to other registrars.

2017-07-04 (+63 days) - the m group have still had no reply to date from eNom's account team. Our account remains erroneously limited. We demand eNom restore the ability to transfer domains away from eNom within 24 hours as the account restriction is impacting our business and general company operations.

2017-07-04 (+63 days) - Written confirmation from eNom that they are still looking the issue and they cannot provide an estimated resolution time.

2017-07-04 (+63 days) - the m group again demand the limitations on our reseller account be removed.

2017-07-04 (+63 days) - Written confirmation from eNom that the account limitation can only be removed by the account team who have not responded to any attempt to contact them and that the account team can only be reached by email. eNom inform us they will update us within 24 hours.

2017-07-05 (+64 days) - Written confirmation that despite previous claims of being unable to remove the account transfer limitations on our account that they have removed the account transfer restrictions on our account.

2017-07-05 (+64 days) - the m group confirm our eNom reseller account transfer access has been restored. We begin transferring domains away from eNom. Our account was limited from making outbound transfers for three weeks.

2017-08-10 (+100 days) - the m group request an update on the .uk inter-account transfer security issue.

2017-08-10 (+100 days) - Written update from eNom that they have escalated the issue but cannot provide any update on when the issue will be resolved.

2017-08-24 (+114 days) - the m group completes outbound transfer of all of our domains away from eNom.

2017-08-28 (+118 days) - the m group request an update on the .uk inter-account transfer security issue.

2017-08-29 (+119 days) - Written update from eNom that they have not heard any response internally on the issue.

2017-08-29 (+119 days) - the m group inform eNom in writing that this errata will be published on Friday the 1st of September, 2017, 122 days after the original report. We urge eNom again to patch their .uk inter-account transfer process or, if that is not possible, disable inter-account .uk transfers until it is resolved.

2017-09-01 (+122 days) - Errata made public and notification sent to NameCheap and Nominet.

2017-09-02 (+122 days and 9 hours) - eNom disable inter-account .uk transfers with the following statement sent via email to resellers:

We have identified a vulnerability that allowed for zero-confirmation .UK domain transfers between Enom reseller accounts (inter-account transfers). The internal domain transfer for .UK domains allowed for the domain transfer authorization process to be bypassed. We have corrected the issue by disallowing our system from auto-approving inter-account domain transfer requests for .UK domains. Future inter-account transfers for .UK domains will require assistance from customer support.

Please note: No other TLDs were impacted. Your .UK domains in your Enom account are not at risk and no action is required on your part.

If you have any concerns, please contact support at customercare@enom.com.

The Enom team

Screenshot here: https://m.pr/static/misc/enom-errata-email.png

2017-09-02 (+123 days) - NameCheap respond confirming they have been in contact with eNom to assist in immediately resolving the security issue.

Contact

the m group, Sydney office, hi@m.pr