Furthermore, this vulnerability exposed the possibility of targeted attacks on employees of notable companies and participants in large projects to gain access to their email accounts and acquire TLS certificates for well-known domains. For instance, a successful hack of a Google employee’s email address ([email protected]) allowed the attacker to obtain a TLS certificate for the Google.com domain.
The vulnerability stemmed from an error in the domain ownership verification system through email confirmation. To confirm ownership of a domain and obtain a TLS certificate, a DNS TXT record “_validation-Contactemail” had to be added to the domain’s DNS zone. Once a domain check was initiated with the email [email protected], a verification code was sent which, when entered, confirmed ownership of the domain and facilitated the issuance of a TLS certificate.
An example showcased by a researcher demonstrated the acquisition of a valid TLS certificate for the Aliyun.com domain, utilized in the Webmail Service of the Chinese company Alibaba, through exploiting the vulnerability. The researcher registered a verification domain in the “DCV-infector.com” service and obtained a TLS certificate by manipulating the DNS records and confirmation email process.
Following the discovery of this vulnerability, SSL.com promptly addressed the issue, revoking 11 certificates issued using the vulnerable verification method with a third-party domain in email. Out of the identified certificates, only one certificate – acquired for Aliyun.com by the researcher – showed signs of exploitation. The other domains impacted included Medinet.ca, Help.gurusoft.com.sg, Banners.betvictor.com, Production-boomi.3day.com, Kisales.com, and Medc.kisales.com. SSL.com has committed to releasing a detailed report by May 2 addressing these issues.