This SSL Flaw Puts Millions of .mobi Domains at Risk of Being Hijacked

A critical flaw lets threat actors steal SSL certificates from any .mobi domain, leaving millions of registered domains and websites at risk.

By Marco Rizal - Editor, Journalist 3 Min Read
Share this post?
Share this post?

A critical flaw lets threat actors steal SSL certificates from any .mobi domain, leaving millions of registered domains and websites at risk.

WatchTowr’s cybersecurity researchers found a major flaw that compromises the security of websites with the .mobi TLD (Top-level domain).

This flaw allows anyone to hijack SSL certificates for .mobi domains, potentially resulting in massive security breaches.

During their investigation, the team unintentionally became administrators of the .mobi domain system, which exposed the flaw.

WatchTowr first noticed the problem when they discovered that the .mobi WHOIS server had changed from whois.dotmobiregistry.net to whois.nic.mobi.

The original domain, dotmobiregistry.net, had expired in December 2023. After acquiring this domain, the researchers were able to establish their own WHOIS server at the previous address

image 53
Credit: watchTowr

In just six days, they received over 2.5 million queries from more than 135,000 different services.

The services that queried the outdated WHOIS server relied on its responses. As a result, the WatchTowr team could easily manipulate the data sent to these services, exposing the possibility of malicious attacks.

They responded to the queries with ASCII art and a message stating that the server was now private.

image 54
Credit: watchTowr

One of the most concerning aspects of this vulnerability is the use of SSL certificates, which are required for internet communication to be secure.

Many services use the email addresses listed in WHOIS records to confirm domain ownership prior to issuing SSL certificates.

The WatchTowr team discovered that some SSL certificate authorities, such as GlobalSign, still used the old WHOIS server for verification.

This meant that WatchTowr could easily verify ownership of any .mobi domain, including names of well-known sites like microsoft.mobi or bbc.mobi by using their own email address.

image 55

With this access, attackers could create SSL certificates for any .mobi domain, allowing them to intercept sensitive data, impersonate websites, and even redirect traffic.

SSL certificates form the foundation of secure internet communication. When a website uses an SSL certificate, it ensures that all data sent between the user’s browser and the website is encrypted.

If someone can issue fake SSL certificates, they can create convincing fake websites, steal passwords, and conduct man-in-the-middle attacks.

Although WatchTowr did not issue any fraudulent SSL certificates during their investigation, their findings point to a significant flaw in the way domain registries and SSL certificates are managed.

Modern internet security is heavily reliant on these certificates, and the ability to issue them at will poses a major threat to online security.

The WatchTowr team reported the vulnerability and set up a new server to proxy correct WHOIS responses for .mobi domains.

Leave a comment