Edward Wall

Ministry of Defence Domain Hijacking

The UK's Ministry of Defence left their secondary domain name vulnerable to domain takeover, despite using it for internal services.

The Ministry of Defence (MOD) has two domain names: mod.uk and mil.uk. They registered mil.uk in 1996 but never used it publically, choosing mod.uk for their online presence. According to Wikipedia it is still used on their internal network, mostly for email.

While looking around government websites I came across this domain. Despite it supposedly being inactive publically this is the response that I received.

Fastly error: unknown domain: mil.uk. Please check that this domain has been added to a service.

The MOD uses a Content Delivery Network called Fastly and this error message was a clear indication of what was happening. While the DNS records for mil.uk were pointed to Fastly, there was no Fastly account for mil.uk.

This is a scenario where subdomain takeover, or in this case domain takeover, can occur. The attacker simply needs to sign up for a Fastly account claiming to own mil.uk. Once this is done the attacker may control the content served from the domain. This simple configuration error could potentially have led to a foreign government serving malware from a UK military domain or social engineering MOD personnel and harvesting credentials.

When Fastly receives a request for a domain they check what the instructions are from the domain owner. In this instance there was no Fastly account claiming mil.uk and therefore it threw an error. It would be very easy to sign up for a Fastly account and take control of the domain's content.

Upon further investigation I found the source of the problem. The MOD uses Fastly for their primary website (mod.uk) and had created a CNAME record for mil.uk to point to mod.uk. Since it is used on their internal network it is likely no one noticed as no one was accessing it from outside their network and from inside it would use their internal DNS which would have been configured correctly.

I discovered this issue in April 2018 and my first action was to contact the email listed on the domain registration. My email went unacknowledged and after 4 months of silence the issue had still not been fixed. At this point I contacted the National Cyber Security Centre (NCSC) through their vulnerability disclosure program.

The NCSC were extremely efficient, taking action on the day of my email. Unfortunately their only available action was to forward the details to the MOD. Again I received no response from the MOD.

5 months after my second message I again reported the vulnerability through the NCSC in February 2019. I explained the problem and gave a 90 day deadline to fix the issue before I would disclose it publicly.

In early March I finally received a response from the MOD confirming that the issue was being investigated. It was fixed in the intervening weeks.

From the first report, it took the MOD over a year to rectify a simple issue which should have been fixed almost instantly. Looking back at the Web Archive shows that the vulnerability had existed since October 2015, more than 2 years before I identified the issue.