Improper Zone Enumeration

Last week a minor incident was detected and dealt with.

A logged-in user was able to enumerate old, inactive domains. The only information that was retrievable this way was whether a particular domain name has ever been registered and if it is currently active. The transgressor had no control over the domain names directly, they needed to enumerate them using a numerical identifier.

Even though ISNIC chooses not to provide such information on old, inactive domains, some other registries do. The information is not sensitive, but it was still an unintended behaviour of our systems, which has now been patched.

No private or sensitive data were affected. All services remained fully operational.

A post-mortem is available here.