Due to a vulnerability in the TLD registrar's website, attackers may have changed the name-servers of any domain under Tonga's country code top-level domain (ccTLD), according to security researchers. With approximately 513 million results from a Google search for '.to' pages, the weakness provided potential miscreants with a plethora of potential targets for a variety of large-scale attacks. The Tonga Network Information Center (Tonic) was "extremely quick" in resolving the bug in under 24 hours after online security firm Palisade exposed the issue, following a pen test, on October 8, 2021, according to a Palisade blog post.
Sam Curry and other Palisade researchers uncovered an SQL injection vulnerability on the registrant website, which could be used to gain plaintext DNS master passwords for.to domains. Once signed in, they may modify the DNS settings for these domains and redirect traffic to their own website. According to Curry, the attacker might then steal cookies and local browser storage and therefore access victim sessions, among other assaults.
An attacker may send crafted accounts if they gained control of google.to, an official Google domain for redirects and OAuth authorization processes. OAuth is a popular authorization mechanism that allows websites and web applications to request limited access to another application's user account. Importantly, OAuth enables the user to authorize this access without revealing their login credentials to the requesting application. This implies that instead of handing over complete control of their account to a third party, users can fine-tune which data they want to disclose.
The fundamental OAuth protocol is extensively used to integrate third-party functionality that requires access to certain data from a user's account. For example, an application may utilise OAuth to request access to your email contacts list in order to recommend individuals to connect with. The same approach, however, is also used to enable third-party authentication services, allowing users to log in with an account they have with another website.
As with .io, .to domains are extensively used to generate short links that are used to reset user passwords, for affiliate marketing, and to drive users to company resources. Curry argued that link shortening services used by Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) may have been misused by altering the '.to' pages to which these giant brands' tweets connected for their millions of Twitter followers.
Curry speculated that attackers "could likely steal a very big amount of money" from customers of tether.to, the official platform for purchasing Tether stable coin - even if they "only owned this domain for a short period of time." However, Eric Gullichsen, administrator of the.to ccTLD, stated that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”