Whois Password Hashes Remained Downloadable for Months – APNIC Promises “No Permanent Transfer of IP Resources”
The Asia-Pacific Network Information Centre (APNIC) has said that a security incident has resulted in the exposure of authentication data. The not-for-profit organization that provides internet addressing services in the Asia-Pacific region has apologized after an error in its Whois database configuration leaked some credentials, including weakly hashed passwords, that could have been used to access and edit domain ownership details.
The problem was first spotted by an eBay employee, Chris Barcellos, who spotted password hashes inside downloadable Whois data. Barcellos reported the technical error to APNIC on October 12 and the issue was fixed the next day.
Due to a technical error during the upgrade of APNIC’s whois database in June 2017, hashed authentication details for APNIC whois Maintainer and IRT objects were inadvertently included in downloadable whois data, which is released to certain external parties under an Acceptable Use Policy.
In a post, APNIC Deputy Director General Sanjaya wrote that "although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools."
Whois exposed data could have enabled attackers to change domain ownership
The exposed data was used to protect access to APNIC whois Maintainer and IRT objects. Maintainer objects store information on the owners that manage a domain name, while the IRT objects store data on a company's incident response team that handles security issues and receives reports of network abuse activities. Using the exposed credentials, hackers with the right tools could have managed to hijack domains by changing the details in Maintainer and IRT objects, taking over websites.
If someone did manage to derive passwords from exposed hashes, "Whois data could potentially be corrupted or falsified for misuse," APNIC wrote adding that its "investigations to date have found no evidence of this occurring." While the hashes did remain exposed for a few months, starting from June, any rogue activity wouldn't have been permanent:
It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.
The agency said that it has fixed the flaw and reset all the Maintainer and IRT passwords. Sanjaya also added that users don't need to change their MyAPNIC password as "this issue is completely unrelated to MyAPNIC login credentials."
"APNIC apologizes for any inconvenience and concern that this error has caused," the organization added in its statement. APNIC has started a post-incident review to determine what led to the error and what can be done to prevent it from happening again.