Indian Domain Registry Security compromised – Courtesy Afilias

Afilias the well known brand name for those in the internet industry did a blunder over the weekend. As they moved registry.in to Drupal powered by Apache/2.2.3  on Red Hat Linux, they exposed source code of part core modules, due to some configuration issues.

Afilias maintains .Org .Asia and many other Top Level Domains. Anybody with Perl programming experience could download at least 4 core modules from the site.  I am not sure if they could download the entire Database of Indian Domains but you never know, hackers are the smartest Developers in my view 🙂

As a responsible citizen I first contacted registry.in and I guess it was some Security Guard who received the call and asked me to call on Monday. The I tried contacting Afilias India, but shame on them they don’t even publish a phone number on the site. Finally I got the number from JustDial and the call got diverted several times, likely ended in the US. The customer care executive wouldn’t know what “Source Code” is and when I tried to explain him, JackA$$ asked for my identification, I told him you guys have messed up on the security, as a courtesy I am trying to get this fixed, Do it or Leave it, then he softens his tone and asks the issue and I explained to him. I also e-mailed several folks at Afilias and Registry.in and finally at IST 12:06 AM Monday, I received a call saying they have fixed it.

Folks at Afilias may have to do some changes in the modules else anybody with Good LAMPerl are likely to get away with the Data, if they can spot the code. Anybody from the Dev community reading this, make sure before you deploy your systems into production, have a QA team thoroughly test it out.

Other Security Issues first discovered by goBroadband and resolved – Bharti Airtel – once again configuration issue , TRAI Website Hacked, and Business Today – Site was hacked.

Credits: Due Credit’s to a LAMP Developer – Mr. Vinod.T who first noticed this and alerted me. Thanks.

3 Comments

  1. This scare mongering post is silly and exposes your ignorance of basic technology.

    I too looked at this page, and there was no “security issue”. The CGI code to DISPLAY whois results was shown, which you can pick up at any corner technology site on the internet.

    I tried to get into the database and access was correctly LOCKED out.

    Chumma don’t make up scary headlines in order to get more readers for your blog.

    1. Author

      Where in the Post have I referred to what you are talking ? I have accessed 4 different source code files, but I am not going to reveal them by useless Anonymous provokes. Let Afilias ask me, I’ll share with them 🙂 An expert could have probably accessed more.

  2. why do u think all whois db will be kept in registry.in domain place holder ?

Comments are closed.