0

In WHOIS, every domain name has at least an email address, physical address and phone number that can be publicly accessed (assuming privacy is off).

Could the ability to receive messages/mail at these contact points allow an attacker to take over the domain or gain any other form or leverage? Or are they used purely for human contact/abuse reporting? Social engineering is allowed here.

For example:

  • The email account registered on the WHOIS contact is compromised
  • The phone number is hijacked (SIM swapping, etc)
  • Mail to the physical address is intercepted (social engineering a delivery person, etc)

This is assuming that the contact details publicly accessible in WHOIS are different to those used to access the domain registrar account.

jamieweb
  • 425
  • 1
  • 3
  • 10

1 Answers1

2

Note that public whois data may get a good bit scarcer because of GPDR.

Email, fax, SMS, mail, or phone to a whois contact are some of the ways a Certificate Authority can validate the right to obtain a cert according to https://www.cabforum.com Baseline Requirements 3.2.2.4. Thus, unless the legitimate owner has set a CAA record to only the CA(s) it actually uses (who can recognize you as a fake) (and you haven't compromised the logins to such CA(s)), you may be able to get a fraudulent cert for (or under) the domain name.

If you are also able to divert or intercept traffic to that domain name (e.g. DNS poisoning, BGP 'mistakes', ARP spoofing, etc.), and the legitimate owner/site hasn't set HPKP or DANE, using this cert you could impersonate the site.

... except to users who do extra cert checking manually or with a browser extension or similar, and probably many(?) of those users read this Stack and are already on to you :-)

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28
  • Ah yes, an interesting one. This form of validation should be phased out eventually - with things like ACME available hopefully everything can move in the right direction. – jamieweb Nov 22 '18 at 00:03