You know when you hear a podcast you’ve only monitored but not listened to covers the story. I’m talking about Brian Kreb’s article that talks about a DNS issue that went unnoticed for years.
When I put my DNS servers in place, I always make sure that they’re correct. If they aren’t and I notice it when I get the email confirmation by my provider of choice, I go back to see what I did wrong. That’s what we’re supposed to do as netizens, make sure we have our stuff right.
The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
What? Mistyping domains is common, but 5 years unnoticed? Mine may have been minutes to an hour, not 5 years.
From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].
All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.”
So where were the people that should’ve been checking for this mistype and fix it? If my DNS servers were ns1.jaredrimer.net and ns2.jaredrimer.net and I made a mistake on one of them, I’d be fixing it immediately on notice.
I know that namecheap emails me every time I change a setting for my domain.
I don’t know who Mastercard uses, but that doesn’t matter. The point here is that someone didn’t do their due dilligance.
The article continues:
This tiny but potentially critical typo was discovered recently by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.
Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.
The researcher didn’t even do anything else but register the domain, he wasn’t interested in setting an email server up and actually using it, he just wanted to see what the domain was supposed to be used for.
But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.
“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”
Of course there wasn’t any impact to your systems, not until the domain was registered and if someone wanted to put email and the like in place, then shit could’ve happened.
Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.
I highly doubt that this researcher did post on LinkedIn first, I think he did contact Mastercard first. We don’t know if that is the case or not, but most researchers try to contact the company first.
Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.
“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”
So in my example, the ns1.jaredrimer.net and ns2.jaredrimer.net would be all I need to have an active DNS server. If I needed more, than I’d set up more. But I don’t know exactly how to do that so I use ones already set up.
The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.
Why would they do that?
“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”
This domain was once registered before, and Brian has the complete details on it.
Thinking Mastercard should get the stupid fuck award this time? I was civil in my write up today. Anyone can make that mistake. Holy shit.
MasterCard DNS Error Went Unnoticed for Years is the article if you have not read it.
Mastercard, do the right thing. Either thank him, compensate him, and make sure you check your other settings to make sure you don’t fall in to the same trap.