105 Top Level Domain applicants had info exposed
The Internet Corporation for Assigned Names and Numbers has begun notifying 105 applicants for new generic Top Level Domains that some of their information was exposed through a glitch in the online application system.
The system was taken offline April 12, which was to have been the closing day for applying for new gTLD names, and has remained offline for three weeks. At some point after the notifications are complete, ICANN will announce the reopening of the system and a new deadline for filing applications.
ICANN CSO Jeff Moss said in an online interview that there is no indication that the problem was the result of a malicious intrusion or that any information other that some user names and file names was exposed. The system was taken offline through an abundance of caution, he said.
Program for new Top Level Domains still in limbo after security glitch
Internet set for 'most significant' domain expansion in history
“It was the safest thing to do,” he said. “If we had kept it running only to find out there was a bigger problem down the road it would have been catastrophic for use.”
ICANN, the nonprofit corporation that oversees the Internet’s Domain Name System under an agreement with the Commerce Department, in June approved a controversial program to expand the number of Top Level Domains. It opened a three-month window for filing applications through its online TLD Application System (TAS) Jan. 12.
Top Level Domains are the suffixes on URLs and e-mail addresses that appear to the right of the final dot in the address. Generic TLDs are broad categories that service large communities, such as .com for businesses, .org for public service groups, .edu for educational organizations, and .gov for government agencies. There currently are 22 gTLDs, and ICANN’s New gTLD program could expand that by thousands.
ICANN’s most recent update on the closure gives the first official word on the volume of application activity. It reports that at the time the system was taken offline there were 1,268 registered users who could file applications and who had uploaded about 95,000 attachments.
There were 455 instances in which the name of a file and the associated user name could have been viewed by another applicant, through what Moss called a problem in the way interrupted file deletions occurred on the system. There were 50 applicants who might have inadvertently viewed the information.
The security of the TAS is important because of sensitive personal and business information that could be included in applications and because of the investment required for applying. There is a $5,000 fee for registering to use the system and a $180,000 fee for each application.
An irregularity in the system first was reported March 19, but TAS remained in operation for more than three weeks after that.
“At that point in time we had no reason to believe that was a problem,” Moss said. “Only later on when we started to see the glitch express itself did we realize something had happened on the 19th.”
The glitch expressed itself in several ways, and after it had been fixed several times only to crop up again, it was obvious that the underlying problem had not been solved and the system was taken down, Moss said.
Testing still is being done, but Moss said “we are very confident that we understand what caused the issue and we corrected the issue.”