Cybersecurity researcher Matthew Bryant has taken control over the generic top-level domain .IO for one day. This unbelievable event was a result of a very serious error made by the registry and technical operator of the domain zone. Last Friday Bryant was testing a program he created to analyze and create maps of domain zones when he discovered that .IO domain zone responded strangely to an automatic request. The response meant that four out of seven authoritative name servers of the domain zone are in domains open for registration for as little as 95 dollars per domain.
Matthew Bryant decided that it was a settings' mistake but just in case sent requests for registration of these servers. After some time he got a response that he was in control of ns-a1.io, ns-a2.io, ns-a3.io and ns-a4.io. Still not quite believing what happened, Bryant decided to change the settings so that all incoming requests were redirected to a DNS server used by him and was successful, which meant that the researcher could have redirected all incoming requests to wherever he pleased.
Further development of the events resembled a bad joke. Matthew Bryant immediately sent an email to the official address of the registry, but he didn't receive any reasonable answer. He ended up calling tech support of the registry to inform that over a half of all servers of domain names were under his control at that moment. However, even after that for almost 24 hours servers were still under Bryant's control. It's hard to imagine what catastrophic consequences would this situation have led to if it had been a hacker instead of a cybersecurity expert. With no effort at all a hacker would have been able to redirect hundreds of thousands of users to phishing websites and pages infected with malware.
The situation is particularly unfortunate if we consider the specifics of .IO domain. Initially, it was delegated as ccTLD of the British Indian Ocean Territory. However, the domain has recently become popular with startupers, developers of software, apps and computer games. At the moment, it has over 270 thousand registrations. The incident was a result of an error made a month ago. Back then NIC.IO registry transferred the functions of domain zone technical operator to Afilias, however it decided to retain control over domain name servers. This is not usual, which led to confusion in the process of technical functions transfer. As a result, Afilias ensured the integrity of three servers; however, the other four ended up in domains open for registration.
