Hacker News new | past | comments | ask | show | jobs | submit login

> If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites.

> “We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote.

One of them have to be incorrect, and both have the incentive to lie/embellish.




One of them has an incentive sized in the billions of dollars to lie/embellish. The other thinks about worst-case scenarios from sophisticated attackers all day long. Worst-case attacks from sophisticated attackers are an embellishment when you're talking about a CS:GO server, but not when you're talking about one of the largest payment processors in the world.


Anybody who has any understanding of how certs are issued knows that he's right and MasterCard is full of shit. So would anybody who put in 10 minutes of research.

Glad to clear that up for you.


> One of them have to be incorrect, and both have the incentive to lie/embellish.

If it has no impact, they should give him permission to publish the entire list of DNS queries he captured. They won't do that because it gives bad actors hints about their infrastructure.

MasterCard is either lying or ignorant and incompetent.


I think it heavily depends on what az.mastercard.com actually is or does.

Receiving email directed to x@mastercard.com doesn't sound right, since this is only a subdomain of unknown(to me) use. TLS? Probably, but again, the risk depends on what it is, and wouldn't affect users visiting 'mastercard.com.'


Without saying too much, I can tell you that this is no obscure subdomain. That traffic he showed represents the gateways for almost all web traffic into Mastercard solutions that run on Azure.

Also, if you knew the culture in there, you would appreciate the extreme irony of them making a mistake like this.


Spill the beans already!


I think the idea was that because this typod domain was being used behind the CDN, you could trick mastercard.com (that uses the CDN) somehow to serve from the hijacked domain that was misconfigured at the CDN.

At least that's my guess, but it's not super clear what attacks would be possible here.


If JavaScript is served from those domains, there may be something interesting. Or if data is submitted to the domains.


re: SSL/TLS certs

My first thought is using one of the ACME-based certificate providers, since DNS control of a domain is sufficient (either TXT record or directing requests to a HTTP server you control).


“Not a risk to our system”

I have no doubt that’s heavily lawyered and is justifiable. What is their “system”… Define it the way you want and the statement is true


Knowing what inflated security researcher egos usually are I wouldn't hold my breath to find out the truth here.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: