惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
Scott Helme
Scott Helme
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Schneier on Security
I
Intezer
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
Cloudbric
Cloudbric
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
L
Lohrmann on Cybersecurity
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
LINUX DO - 热门话题
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
K
Kaspersky official blog
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
Latest news
Latest news
B
Blog
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
博客园 - 叶小钗
L
LangChain Blog
GbyAI
GbyAI
Last Week in AI
Last Week in AI
S
Security Affairs
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
Security Latest
Security Latest
Vercel News
Vercel News
Y
Y Combinator Blog
G
GRAHAM CLULEY
S
Securelist
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
雷峰网
雷峰网

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside
Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Jessica Lyons Jessica Lyons · 2025-04-22 · via The Register - Security: CSO

CSO

Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps

10 other certificates 'were mis-issued and have now been revoked'

Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites.

With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors.

And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba.

The hole appears to be as simple as this: As part of the process of verifying that you control a domain name – and thus allowing you to obtain a TLS certificate for that domain so that it can (for instance) support encrypted HTTPS connections with visitors – SSL.com gives you the option of creating a _validation-contactemail DNS TXT record for the domain, with the value set to a contact email address.

Once that DNS TXT record is present, and you request a certificate for the domain, SSL.com emails a code and URL to that contact address. You click the link and enter the code, and establish you are a controller of the domain and can get the certificate for your site.

Unfortunately, due to a buggy implementation, SSL.com would also now consider you the owner of the domain used for the contact email. If you put in vulture@example.com, provided you could pick up mail to that address and follow the link, SSL.com would be happy to issue you a certificate for example.com. It doesn't matter what domain you were actually trying to verify ownership of.

Swap example.com for a webmail provider, and suddenly this becomes a bit of a scary situation.

As a bug report posted on Friday by someone using the handle “Sec Reporter” pointed out, when SSL.com received a request to issue a certificate, during the domain validation process it “incorrectly marks the hostname of the approver's email address as a verified domain.”

Sec Reporter demonstrated it was possible to provide an @aliyun.com email address for a random domain, and be issued certs for aliyun.com and www.aliyun.com – a webmail and public cloud service run by Chinese internet giant Alibaba.

SSL.com’s mishandling of the matter is scary because it means anyone who clocked the flawed DNS record validation process could request, and be issued, a TLS cert for someone else's website. Those certs could be used to spoof the legit site, and enable man-in-the-middle attacks, phishing, and more.

SSL.com has now revoked 11 certificates issued via this faulty validation logic. One of them was for aliyun.com, obtained by the researcher to demonstrate the security vulnerability. The others? SSL.com isn't saying who got them, but did list them as follows:

It's important to note the certs created for these domains may not have been obtained maliciously; all we know is that they were issued via the broken validation system, which means they need to be revoked as a precaution.

In a preliminary incident report posted on Monday, SSL.com technical compliance officer Rebecca Kelley confirmed there was a flaw in one of its domain control validation (DCV) methods.

"An incorrect implementation of the DCV method specified in the SSL.com CP/CPS, section 3.2.2.4.14 (Email to DNS TXT Contact), resulted in mis-issuing a certificate to the hostname of the approver's email address," Kelley stated on Mozilla's Bugzilla database.

That particular DCV process – there are alternative methods for validating domains – has been disabled until SSL.com can fix the flaw. The biz promised a full incident report on or before May 2.

Here are the five steps, plus an initial setup phase, Sec Reporter gave to exploit the domain validation oversight:

As noted in their write-up, the researcher is not an admin, hostmaster, nor webmaster for aliyun.com, and the _validation-contactemail for the domain wasn't configured at all. "So, this is wrong," the bug hunter concluded.

  1. Create a TXT record for the domain _validation-contactemail.d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com with the value myusername@aliyun.com. Here, aliyun.com is both a cloud provider and an email provider, similar to @Yahoo.com or @iCloud.com.
  2. Visit SSL.com and request a certificate for the domain d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com. Then, select myusername@aliyun.com from the email approvers list.
  3. Log in to myusername@aliyun.com, retrieve the email that contains the DCV random value, and finalize the DCV validation process.
  4. SSL.com will add the domain name of the email address (the part after the @. in this case, aliyun.com) to your list of verified domains.
  5. To obtain certificates for aliyun.com and www.aliyun.com, initiate the certificate request.

SSL.com thanked the researcher, and promised it is "processing this incident with the utmost priority."

The Register has reached out with questions about the bug and whether there is any word of it being exploited for nefarious purposes. We will update this story when we receive more info. ®