Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The problem for the attacker is that the false answer needs to carry the correct authenticating transaction ID–and there are 65,000 possibilities. Moreover, once Facebook’s server gets an answer, it will store the domain name server’s numerical address for a certain period of time, perhaps a day. The flaw that Kaminsky discovered, however, allows the attacker to trigger requests for the domain name server’s address as many times as he wants. If the attacker includes a random transaction ID with each of his false responses, he’ll eventually luck upon the correct one. In practice, Kaminsky says, it takes the attacker’s computer about 10 seconds to fool a server into accepting its false answer.

Fooling Facebook’s server would mean that the attacker could intercept messages that Facebook intended to send to users, which could allow him to get control of large numbers of accounts. The attacker could use similar techniques to intercept e-mail from other sources, or to get forged security certificates that could be used to more convincingly impersonate banking sites. “We haven’t had a bug like this in a decade,” Kaminsky says.

Because the attack takes advantage of an extremely common Internet transaction, the flaw is difficult to repair. “If you destroy this behavior, you destroy [the domain name system], and therefore you destroy the way the Internet works,” Kaminsky says. But the temporary fix that’s being distributed will keep most people safe for now. That fix helps by adding an additional random number that gives the attacker a much smaller chance of being able to guess correctly and pull off the impersonation. In the past month, he says, more than 120 million broadband consumers have been protected by patches, as have 70 percent of Fortune 500 companies. “If they’re big and vulnerable, and I thought so, I’ve contacted them and raised holy hell,” Kaminsky says. Facebook has applied the patch, as have Apple, LinkedIn, MySpace, Google, Yahoo, and others.

But it’s still uncertain how to put a long-term solution in place. Kaminsky calls the current patch a “stopgap,” which he hopes will hold off attackers while the security community seeks a more permanent fix. Jerry Dixon, director of analysis for Team Cymru and former executive director of the National Cyber Security Division and US-CERT, says that “longer-term fixes will take a lot of effort.” Changes to the domain name system must be made cautiously, he says, adding, “It’s the equivalent of doing heart surgery.” It would be easy for a fix to cause unintended problems to the system. In the meantime, Dixon says, “if I were asked by the White House to assess this, I would say it’s a bad vulnerability. People need to patch this.”

8 comments. Share your thoughts »

Credit: Technology Review

Tagged: Web, Black Hat, computer security, Internet infrastructure, domain name system, DNS flaw, Dan Kaminsky

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me