So, the real question is: "How much should we freak out about this?"
If you scroll back a few months to Cloudbleed/Cloudflare we sort of collectively decided that because cache data containing sensitive info (passwords, tokens, whatever) might be accessible for your site using Cloudflare that everything should be revoked, force password resets, etc.
Now we have this vuln, which I'll dub "IOgate" because it's the cool thing to name these. We don't know if this has ever happened before, there clearly were not adequate safeguards in place, etc.
Should anyone operating a service using a ".io" TLD consider everything potentially compromised?
Cloudbleed was different in a lot of ways, not least of which because it could have been passively exploited by an unknowable number of attackers even after the bug was fixed. Here, this is an active attack that leaves a trail. The question is more like "do you trust the author?"
You make a really good point about the post patch exploitation from Cloudbleed putting that in a different category. I guess my thinking was: Is this guy the first? Are the authoritative IO domain servers compromised some other way? Are the other servers legit?
>I'll dub "IOgate" because it's the cool thing to name these.
FWIW, I've found that whenever major news outlets use the "gate" postfix for anything other than Watergate, it's an indicator that they're being manipulative (it's tabloid bullshit). The certainly didn't call it Snowdengate or Trump/Russiagate.
Yes but [per the article] they weren't registered before he bought them. Obviously somebody could have done this before and stopped, or could control some of the other servers.
Registered by the author. What lwansbrough means is that they weren't already registered, which means it's unlikely this was previously exploited unless the previous registrant let those domains expire afterwards.
The registry (and many other people who have downloaded zone files and such) would have records of these having previously been registered. If it was exploited then it would easily be possible to find that out.
If you scroll back a few months to Cloudbleed/Cloudflare we sort of collectively decided that because cache data containing sensitive info (passwords, tokens, whatever) might be accessible for your site using Cloudflare that everything should be revoked, force password resets, etc.
Now we have this vuln, which I'll dub "IOgate" because it's the cool thing to name these. We don't know if this has ever happened before, there clearly were not adequate safeguards in place, etc.
Should anyone operating a service using a ".io" TLD consider everything potentially compromised?