Hacker News new | past | comments | ask | show | jobs | submit

We spent $20 to achieve RCE and accidentally became the admins of .mobi

https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
1624notmine1337 | | 367 | HN
post-it | parent | next
Obviously there are a lot of errors by a lot of people that led to this, but here's one that would've prevented this specific exploit:

> As part of our research, we discovered that a few years ago the WHOIS server for the .MOBI TLD migrated from whois.dotmobiregistry.net to whois.nic.mobi – and the dotmobiregistry.net domain had been left to expire seemingly in December 2023.

Never ever ever ever let a domain expire. If you're a business and you're looking to pick up a new domain because it's only $10/year, consider that you're going to be paying $10/year forever, because once you associate that domain with your business, you can never get rid of that association.

ohashi | parent | next
This is the most obvious reason why Verisign is a monopolist and should be regulated like a utility. They make false claims about choice and not being locked in. You buy a domain, you use it, you're locked in forever. And they know it. That's why they fight tooth and nail to protect their monopoly.
hsbauauvhabzb | root | parent | next
It’s worse if you stop using the phrase ‘buy’ and instead use the term ‘rent’. A DNS provider could 10,000x your domain cost and there’s nothing you can do about it.
loading story #41517415
robert_tweed | root | parent | next
This actually happened to me, but fortunately I never actually used the domain. I registered tweed.dev intending to use robert.tweed.dev as a personal blog. It wasn't classed as a "premium" domain and the first year was £5 or something IIRC, which was half price compared to the normal renewal fee.

The next year they decided it was premium after all, and wanted to charge £492,000 for renewal. I still have a screenshot of that, although needless to say I don't own the domain anymore.

wkat4242 | root | parent | next
Couldn't you just transfer it to another registrar? I guess they blocked that but I wonder whether icann allows them to do so. It's indeed ridiculous.
tdy_err | root | parent
Isn’t Google the .dev registrar?
loading story #41545728
loading story #41517982
j-bos | root | parent | next
Can they? I thought ICANN prevented such steep increases?
ryan29 | root | parent | next
There are a bunch of different domain types all commingled together; non-premium gTLD domains, ccTLD domains, 3rd level domains, registry premium gTLD domains and, as added complexity, aftermarket domains which could be any of the previous listed types.

ICANN provides some protection for standard gTLD domains, but it's minimal. You're guaranteed identical pricing to all other standard domain registrants on the gTLD, so they can only raise your price by raising the price of everyone else at the same time. That hasn't stopped some registries from 10x price increases though. The only thing it does is ensure they can't single you out and massively hike your renewal fee.

However, that does not apply to registry premium gTLD domains. When you register a registry premium domain you waive those protections and the registries can technically do anything they want.

If you register a ccTLD domain, you're at the mercy of that country's registry. If you register a 3rd level domain you're at the mercy of the 2nd level domain owner and they're regulated by either ICANN or a country based registry.

It's actually somewhat complex when you get into it.

| root | parent
{"deleted":true,"id":41518783,"parent":41518391,"time":1726130547,"type":"comment"}
joecool1029 | root | parent
Only for a few TLD's, stuff like ccTLD's there's no limit on how much a registry can charge.
t-writescode | root | parent
To be clear, that's because the country that represents that ccTLD has sovereignty over it. That's also why they can have arbitrary, unusual requirements on them.
adr1an | root | parent | next
We can prevent this by paying the domain registrar ahead of time for N years. It's not a real solution, but it works (as good as any patch)
parineum | root | parent
And if you're domain is really worth that much, you can sell it before it expires.
loading story #41514843
loading story #41518192
declan_roberts | parent | next
Always use subdomains. Businesses only ever need a single $10 domain for their entire existence.
loading story #41513169
loading story #41512065
loading story #41512194
loading story #41515014
loading story #41515728
loading story #41516328
loading story #41544719
loading story #41512689
ryanmcbride | parent | next
But if companies did that then I never would have been able to buy coolchug.com!
loading story #41524422
throwaway2037 | parent | next
I like the point you are making in this post. It makes me think about the Backblaze blog posts where they discuss the likelihood of enough drive failures to lose user data. Then, they decided the calculation result hardly matters, because people are more likely to forget to pay due to an expired credit card or email spam filtering (missed renewal reminders!).

How do mega corps remember to pay their domain bills? Do they pay an (overpriced) registrar for "infinity" years of renewals? This seems like a genuinely hard business operations problem.

loading story #41516681
loading story #41516712
loading story #41516927
loading story #41526844
| parent | next
{"deleted":true,"id":41515416,"parent":41511941,"time":1726089470,"type":"comment"}
yumraj | parent
> If you're a business and you're looking to pick up a new domain because it's only $10/year, consider that you're going to be paying $10/year forever, because once you associate that domain with your business, you can never get rid of that association.

Please elaborate...

Also, what about personal domains? Does it apply there as well?

loading story #41514032
loading story #41514075
loading story #41514024
loading story #41518973
loading story #41514938
loading story #41511245
loading story #41510651
loading story #41512262
loading story #41510451
loading story #41512283
loading story #41513323
loading story #41513036
loading story #41510537
loading story #41511677
loading story #41513987
loading story #41510538
loading story #41512663
loading story #41519813
loading story #41510922
loading story #41514917
loading story #41510579
loading story #41511839
loading story #41518070
loading story #41510823
loading story #41511147
loading story #41512071
loading story #41510553
loading story #41510631
loading story #41510703
loading story #41512212
loading story #41547285
loading story #41510469
loading story #41511525
loading story #41515911
loading story #41511310
loading story #41510461
loading story #41510544
loading story #41511349
loading story #41520060
loading story #41512112
loading story #41517221
loading story #41517187
loading story #41511287
loading story #41510602
loading story #41516915
loading story #41514651