Domain Hijacking Via Logic Error - Gandi and Route 53 Vulnerability

On 12 February 2021, Cyberis identified a weakness in the domain transfer processes of Gandi which allowed any Nominet registry domain (including .co.uk and org.uk domains) registered with Gandi to be transferred out of the owner’s control and into the control of an arbitrary AWS Route 53 account, without any authorisation being provided by the owner of the domain.  Exploitation of this weakness did not result in the registrant details being modified in the Nominet registry, but once an adversary has taken control of a domain they are likely to be able to satisfy the checks in place that would subsequently allow ownership details to be updated.

Cyberis reported this weakness to AWS on 12 February 2021, who engaged Gandi on the same day. Transfer of the affected Nominet domains was disabled by Gandi on 12 February 2021 whilst the weakness was investigated.

On 15 February 2021, the root cause of the weakness was identified by the Gandi security team and a patch applied.  Following testing, transfers of affected domains was re-enabled on 16 February 2021.

What is domain hijacking?

Domain hijacking is an attack whereby a threat actor takes control of a victim’s domain name.  

Generally, domain names are hijacked by adversaries with the intent to steal customer data (or even steal customers), interrupt the trading of other businesses.  One of the most high-profile recent examples of this type of attack occurred when the perl.com domain was hijacked.  

Most domain hijacking attacks happen when an attacker gathers personal information about the domain owner and uses this information to impersonate the owner to the domain registrar, convincing them to modify the registration information.  It can also happen when domain owner email addresses are compromised, or in conjunction with phishing attacks.

However it happens, the impact is serious.  When an adversary has control of a domain, they have control of the name servers which determine where traffic for that domain and sub-domains are routed, so they are able to control things like web traffic and email traffic to the domain.  Once a domain has been hijacked, it is often transferred to a different registrar, and it can be difficult for the victim to regain control because of the complicated network of contractual relationships.

What is the domain transfer process?

All registries have a process to transfer domain names from one owner to another.  Generally, the process for doing this is as follows:

  • Domain owner disables WHOIS/domain privacy so that the new registrar can verify ownership of the domain to be transferred
  • Domain owner disables any transfer lock protections on the domain to be transferred.
  • Domain owner obtains a transfer authorisation code (or EPP, or auth code, or transfer code, etc.)
    • This step is dependent on the registry the domain belongs to.  
    • For Nominet-controlled domains (i.e., .uk, .co.uk, .org.uk and .me.uk for example), a user who wishes to transfer a domain from one registrar to another registrar needs to set a value on their domain which is known as an IPS tag.  IPS stands for "Internet Provider Security", and it acts as a label identifying domain registrars when administering domain name registration and DNS services. It’s also known as a "registrar tag". When a domain is to be transferred from one registrar to another, the original registrar needs to update the IPS tag of the domain to reflect the tag of the new registrar.
  • The new owner requests a domain transfer from their new registrar
  • The existing domain owner receives an email to the administrative email address on file for the domain requesting authorisation to transfer the domain. If the existing domain owner approves the transfer, the transfer proceeds.

What did Cyberis observe?

When working with a customer in February 2021, we identified that we were able to transfer control of any Nominet-suffixed domain registered with Gandi into the control of an arbitrary AWS account using Amazon Route 53, without the domain owner giving authorisation for the transfer.

The following precondition applied to this transfer:

  • The domain to be targeted was currently held by the Gandi registrar and therefore had an existing IPS tag of "GANDI"

Exploitation did not change the registrant details for the domain in the Nominet registry and so theoretically ownership had not changed though control had.  Once an adversary has control of the domain, however, they have control of DNS records and therefore the destination of web and email traffic to the domain.  Registrant email addresses may be hosted within the domain which is owned, and with control of those email addresses an adversary could satisfy the checks in place to take full ownership of the domain, as well as logical control.

On requesting a transfer into Route 53, the user is given a set of instructions to follow:

Image showing AWS's instructions to the user on what actions to take to transfer the domain to Route 53

We complete the order with Route 53:

Screenshot showing the order complete with Route 53

Once we complete the order to transfer the domain, we are informed that the transfer needs to be authorised by the domain owner:

Screenshot showing Route 53 reminding the user that transfer will not occur without authorisation

Instead of an authorisation email sent to the owner of the domain, the transfer is completed automatically, and no authorisation is required:

Screenshot showing an email which states that domain transfer is complete

When looking into this issue, we note that AWS includes this line when processing a transfer of a domain into Route 53:

Amazon Route 53 enables you to register and transfer domain names using your AWS account.  However, AWS is not a domain name registrar, so we use registrar associates to perform registration and transfer services.  When you purchase domain names through AWS, you are registering your domain with one of our registrar associates.

Reviewing the Terms and Conditions related to its Route 53 services (Amazon Route 53 Domain Name Registration Agreement), we can see that Gandi SAS is one of Amazon’s registrar associates, and is used to manage the registration of Nominet-suffixed domains for Route 53.

From instructions to register Nominet-controlled domains to Route 53:

.uk, .co.uk, .me.uk, and .org.uk domains
If you're transferring a .uk, .co.uk, .me.uk, or .org.uk domain to Route 53, you don't need to get an authorization code. Instead, use the method provided by your current domain registrar to update the value of the IPS tag for the domain to GANDI, all uppercase. (An IPS tag is required by Nominet, the registry for .uk domain names.) If your registrar doesn't provide a way to change the value of the IPS tag, contact Nominet.

In the particular use-case we examined – Nominet-suffixed domains registered with Gandi – the IPS tag associated with the target domain to be transferred would have already been set to the value "GANDI", as the registrar value would not have changed.

Whilst we do not have full detail of the root cause of the issue, it appears that because the registrar and therefore IPS tag remains constant throughout this transfer process there was a weakness in logic meaning that a transfer request into Route 53 did not prompt a transfer authorisation email, and instead triggered an automatic acceptance of the request and update of the records stored at Gandi.

Once the target domain had been transferred into Route 53, the attacker would have complete control over the domain, including the ability to update contact and ownership information and change DNS records.  Once ownership and contact information had been updated, the attacker would also have been able to transfer the domain to other arbitrary registrars.  While existing recovery emergency protocols are used in between registrars in such cases, movement of a hijacked domain amongst different registrars in this way can complicate the process of recovery for the victim.

Reporting and Fix

Cyberis reported this weakness to AWS on 12 February 2021, who engaged Gandi on the same day. Transfer of the affected Nominet domains was disabled by Gandi on 12 February 2021 whilst the weakness was investigated.

On 15 February 2021, the root cause of the weakness was identified by the Gandi security team and a patch applied.

Following testing, transfers of affected domains was re-enabled on 16 February 2021.

Gandi has analysed its records and has said that it does not believe any of its customers were impacted by this weakness.