Group ID "com.mycila" vulnerable to hijacking in public repos by "mycila.com" domain available for purchase. about license-maven-plugin HOT 9 CLOSED

Hello,

I will close this issue.

I am the owner of mycila.com. It is set to renew each year, it's been like that since years, and it won't change. Also, the domain is locked so nobody can take ownership or transfert it.

from license-maven-plugin.

Once somebody buys this this domain, he/she can take over the ownership of the "com.mycila" Group ID in Maven Central (and/or other public repositories) and start distributing malicious code.

@liry That doesn't seem to be true. According to a comment from the Maven Central maintainers, an existing namespace cannot be claimed by buying an orphaned domain and using DNS validation. For existing namespaces it's a manual process.

See:

The outlined attack strategy involves searching for expired domains to establish credentials for publishing malicious components on Maven Central. However, this attack is not feasible due to the automation in place. While DNS validation is used for namespace validation, it only applies to new ones. Attempts to register an existing namespace will fail, and we have manual validation procedures in place. To further enhance security, we have disabled all accounts associated with expired domains and GitHub projects. Any future attempts to leverage current and future expired domains will undergo a thorough assessment by our team, ensuring evidence of ownership of not just the domain but also the underlying project.

-- https://www.sonatype.com/sonatypes-ongoing-commitment-to-maven-central

from license-maven-plugin.

Ok, thanks for pointing to this.

But there exist also other attack vectors, like possibility of introducing the component into some other public repository, right? It may not have such a big blast radius like Maven Central, but still may be a problem for some users.

from license-maven-plugin.

But there exist also other attack vectors, like possibility of introducing the component into some other public repository, right? It may not have such a big blast radius like Maven Central, but still may be a problem for some users.

Right, if a project configures other repositories than Maven Central and those repositories don't have rigid processes for ownership claims, a project can be vulnerable.

from license-maven-plugin.

Hey @bernd and @liry,

I'm one of the authors of the research. I came here to see who bought the mycila.com domain. If it's not @mathieucarbou (he hasn't commented on it yet), it could be a sign of an attack

Also,

That doesn't seem to be true. According to a comment from the Maven Central maintainers, an existing namespace cannot be claimed by buying an orphaned domain and using DNS validation. For existing namespaces it's a manual process

In the article, we used two different repositories, not only MavenCentral. It's true that MavenCentral blocks automatic (via a DNS TXT record) groupId claims for known (already registered in their repository) groupIds + for vulnerable groupIds that we shared with them. However, there are other public repositories such as JitPack, Gradle, and others that can be used to attack the developers.

from license-maven-plugin.

Very interesting! Two days ago GoDaddy marked it for sale, I have a saved screenshot:

from license-maven-plugin.

Very interesting! Two days ago GoDaddy marked it for sale, I have a saved screenshot

This sort of click-bait ad does not mean anything. Try adding to a cart and it will be marked as unavailable.

They are probably not happy with the fact that I've transferred all my domain names to Cloudflare registrar ;-)

from license-maven-plugin.

I've also verified my listings at auctions.godaddy.com and it is not there.
But this is true that I see the domain listed there. But like it is stated, owner has to agree with the transfer.
So if you buy it, I will refuse the transfer and you'll have 1000$ USD to recover to Godaddy 😆

from license-maven-plugin.

Just for clarity:

mycila.com is not old: it is registered and renewed each year and locked from any transfert.

https://who.is/whois/mycila.com

Domain registrars are offering auctions, which are a way to make an offer to buy an existing domain. The domain owner can refuse or accept the ownership transfer.

https://www.elegantthemes.com/blog/business/how-to-buy-a-domain-name-that-is-already-taken

Domain availability cannot be checked from a registrar allowing such auctions... You need to use a standard whois mechanism.

from license-maven-plugin.