{"id":2875,"date":"2025-04-23T11:24:04","date_gmt":"2025-04-23T11:24:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2875"},"modified":"2025-04-23T11:24:04","modified_gmt":"2025-04-23T11:24:04","slug":"attackers-abused-a-bug-within-ssl-com-to-authorize-fake-certificates","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2875","title":{"rendered":"Attackers abused a bug within SSL.com to authorize fake certificates"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A flaw in SSL.com\u2019s domain control validation (DCV) process allowed attackers to bypass verification and issue fraudulent SSL certificates for any domain linked to certain email providers.<\/p>\n

According to an exploit demonstrated by a security researcher going by the alias Sec Reporter, attackers could abuse SSL.com\u2019s misinterpretation of email-based validation methods.<\/p>\n

\u201cSSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact),\u201c Sec Reporter said in a BugZilla post<\/a>. \u201dIt incorrectly marks the hostname of the approver\u2019s email address as a verified domain, which is completely erroneous.\u201c<\/p>\n

SSL.com is a widely trusted certificate authority (CA) that issues SSL\/TLS<\/a> certificates\u2013digital credentials that secure data transmitted between websites and users. A CA failing to properly check who owns a domain could allow issuance of fake certificates, leading to domain impersonation, data theft, man-in-the-middle<\/a>, and phishing attacks.<\/p>\n

<\/a>SSL.com misvalidates random email addresses<\/h2>\n

SSL.com has a feature where one can prove they control a domain and get a TLS (SSL) certificate by creating a special DNS TXT record\u2013an email address for SSL.com to send a confirmation code to.<\/p>\n

In theory, only someone who controls the domain (like xyz@example.com) should be able to create this record and receive the verification email. However, in reality, SSL.com was mistakenly trusting just the domain part of the email address (example.com).<\/p>\n

This allowed Sec Reporter to enter admin@aliyun.com as the record, and SSL.com assumed they controlled aliyun.com (a webmail service run by Alibaba), validating their certificates for aliyun.com and www.aliyun.com.<\/p>\n

This is particularly dangerous as an attacker doesn\u2019t need to have complete control over a website, e.g. google.com, to get a legitimate-looking certificate, as just the email address of an employee or even a free email address that\u2019s somehow linked to the domain is enough.<\/p>\n

<\/a>Mis-issued certificates have been revoked<\/h2>\n

Sec Reporter\u2019s demonstration of the flaw was acknowledged by SSL.com, and the issue was promptly fixed.<\/p>\n

\u201cSSL.com acknowledges this bug report and we are investigating further,\u201d Rebecca Kelly, technical project manager at SSL.com, commented on the demonstration, quickly following with, \u201cOut of an abundance of caution, we have disabled domain validation method 3.2.2.4.14 that was used in the bug report for all SSL\/TLS certificates while we investigate.\u201d<\/p>\n

In a preliminary incident report attached in the comment section of the demonstration, it was revealed that a total of 10 certificates<\/a> were mis-issued by SSL.com using the faulty method and were consequently revoked. These improperly issued certificates, with the exception of one<\/a>, were found to be non-fraudulent mis-issuance upon investigation, Kelly added. <\/p>\n

While CSO awaits response from SSL.com on the status of the one mis-issued certificate still not in the clear, major websites, including email and cloud providers, are advised to cross-check the entire list of mis-issued certificates to be extra vigilant.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A flaw in SSL.com\u2019s domain control validation (DCV) process allowed attackers to bypass verification and issue fraudulent SSL certificates for any domain linked to certain email providers. According to an exploit demonstrated by a security researcher going by the alias Sec Reporter, attackers could abuse SSL.com\u2019s misinterpretation of email-based validation methods. \u201cSSL.com failed to conduct […]<\/p>\n","protected":false},"author":0,"featured_media":2876,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2875"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2875"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2875\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2876"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}