Didn't expect to see this here, it was over a month ago this incident happened! Happy to answer any questions about it (author of DataTables here). It was a super stressful event to say the least, and I've been reading along with the recent npm incidents wondering what I can do to make sure my OpSec is as good as it reasonably can be.
Totally OT, but thanks so much for DataTables! I used it for a tiny personal project a few years back and it's been quietly chugging away with barely any maintenance required. It was so easy to get up and running with the documentation, implement and customise to my heart's content -- truly an excellent piece of open source!
The blog feed is here: https://datatables.net/feeds/blog.xml . It is advertised on the landing page, but it looks like I've missed having it on the blog page! As you say, that has the releases feed - thanks for pointing that out.
It would be helpful if you would share the name of the registrar so that other people could be aware that this policy exists if you work with that registrar.
Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.
This is perhaps a lesson that people should use the extra domain security functions, e.g. Domain Lock which is available on most (all ?) TLDs.
If your registrar does not expose the functionality, move to one that does.
N.B. Ideally you want Domain Lock == REGISTRY-LOCK, there is also REGISTRAR-LOCK which is similar in concept but not quite as secure because REGISTRAR-LOCK is implemented at Registrar not Registry level.
It’s still a complicated attack and I can understand the registrar being confused, though they should’ve called you for sure.
> They used an email address intentionally crafted to look like it could be mine and submitted a fake driver's license and utility bill with information that could only have been from leaked WHOIS data. The registrar accepted this as proof of identity and started the transfer process. That included sending an email to me to confirm the transfer, an email which I never saw due to the flood of emails (which it is now easy to say was the start of the attack).
Edit: Cloudflare blocking the attackers code with a 1000 error is interesting. Could you share some information about it?
Yeah - it was a well set up attack. What I don't understand is that there was no obvious follow on. I can only guess that it was a proof that it could be done. Maybe?
Regarding the 1000 error - I didn't have any 1:1 support contact with CloudFlare - the first I knew was they were returning 1000 errors, which I presume they were doing due to a blacklisted IP being used for the DNS resolving. I'm really not sure though.
> The takeover due to the lack of response to an email is worrying
The trouble is that that is the way most way modern small print is worded.
Read the small print in any contract of the last 10 years. Almost all of them when speaking about delivery of notices will apply $n days to emails.
Everyone in the tech world knows why it's a horrible idea, but sadly most lawyers who draft these things either don't care, or their client doesn't care and that's how the lawyer has been instructed to draft.
Yeah, I really wasn't happy about that. I did put it to the registrar that such a policy is wrong and open to such an attack. I got the impression that they weren't going to change their policy though. Such policies are something I'm going to be looking at when considering a new registrar.
> The fact that someone would attack an open source product such as DataTables sickens me. I release by far the majority of my work as free open source software, host a free to use CDN, and support the software.
Seriously, no idea what could motivate this, unless a paid datatables vendor felt you were undercutting their business. We all like to think that attacks are beneath them, but stuff like that has happened before.
Didn't expect to see this here, it was over a month ago this incident happened! Happy to answer any questions about it (author of DataTables here). It was a super stressful event to say the least, and I've been reading along with the recent npm incidents wondering what I can do to make sure my OpSec is as good as it reasonably can be.
Totally OT, but thanks so much for DataTables! I used it for a tiny personal project a few years back and it's been quietly chugging away with barely any maintenance required. It was so easy to get up and running with the documentation, implement and customise to my heart's content -- truly an excellent piece of open source!
Maybe because your Blog RSS [1] shows releases only, it doesn't seem to show these interesting tidbits?
[1] <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://datatables.net/feeds/releases.xml">
The blog feed is here: https://datatables.net/feeds/blog.xml . It is advertised on the landing page, but it looks like I've missed having it on the blog page! As you say, that has the releases feed - thanks for pointing that out.
It would be helpful if you would share the name of the registrar so that other people could be aware that this policy exists if you work with that registrar.
Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.
This is perhaps a lesson that people should use the extra domain security functions, e.g. Domain Lock which is available on most (all ?) TLDs.
If your registrar does not expose the functionality, move to one that does.
N.B. Ideally you want Domain Lock == REGISTRY-LOCK, there is also REGISTRAR-LOCK which is similar in concept but not quite as secure because REGISTRAR-LOCK is implemented at Registrar not Registry level.
It’s still a complicated attack and I can understand the registrar being confused, though they should’ve called you for sure.
> They used an email address intentionally crafted to look like it could be mine and submitted a fake driver's license and utility bill with information that could only have been from leaked WHOIS data. The registrar accepted this as proof of identity and started the transfer process. That included sending an email to me to confirm the transfer, an email which I never saw due to the flood of emails (which it is now easy to say was the start of the attack).
Edit: Cloudflare blocking the attackers code with a 1000 error is interesting. Could you share some information about it?
Yeah - it was a well set up attack. What I don't understand is that there was no obvious follow on. I can only guess that it was a proof that it could be done. Maybe?
Regarding the 1000 error - I didn't have any 1:1 support contact with CloudFlare - the first I knew was they were returning 1000 errors, which I presume they were doing due to a blacklisted IP being used for the DNS resolving. I'm really not sure though.
The takeover due to the lack of response to an email is worrying
> The takeover due to the lack of response to an email is worrying
The trouble is that that is the way most way modern small print is worded.
Read the small print in any contract of the last 10 years. Almost all of them when speaking about delivery of notices will apply $n days to emails.
Everyone in the tech world knows why it's a horrible idea, but sadly most lawyers who draft these things either don't care, or their client doesn't care and that's how the lawyer has been instructed to draft.
Yeah, I really wasn't happy about that. I did put it to the registrar that such a policy is wrong and open to such an attack. I got the impression that they weren't going to change their policy though. Such policies are something I'm going to be looking at when considering a new registrar.
Who is the old registrar?
> The fact that someone would attack an open source product such as DataTables sickens me. I release by far the majority of my work as free open source software, host a free to use CDN, and support the software.
Seriously, no idea what could motivate this, unless a paid datatables vendor felt you were undercutting their business. We all like to think that attacks are beneath them, but stuff like that has happened before.