Exploiting Vulnerabilities in a TLD Registrar: Lessons from the .to Takeover Risk

Originally reported in October 2021 and remediated within 24 hours, this case highlights how weaknesses in a Top-Level Domain (TLD) registrar could have enabled attackers to compromise some of the most trusted internet services—including Google, Amazon, Uber, Verizon, and Tether. Here, we explore what happened, the potential consequences, and the broader security lessons for the domain ecosystem.

Research brought to you by Palisade Consulting – Expert cybersecurity analysis and domain security research.

Understanding Key Terms

TLD (Top-Level Domain): The highest level of domains in the hierarchical Domain Name System, such as .com, .org, or country-specific domains like .to (Tonga). Each TLD is managed by a designated registrar organization.

DNS (Domain Name System): The internet's "phone book" that translates human-readable domain names into IP addresses that computers use to locate websites.

Nameservers: Specialized servers that store DNS records and respond to queries about which IP address corresponds to a specific domain name.

SQL Injection: A code injection technique that exploits security vulnerabilities in database-driven applications, allowing attackers to interfere with database queries and potentially access sensitive data.

Discovery and Rapid Fix

On October 8th, 2021, researchers identified a set of vulnerabilities in the Tonga Network Information Center, the registrar responsible for the .to TLD. These flaws made it possible to alter the nameservers for any domain under .to. Within 24 hours of disclosure, the registrar patched the issue in collaboration with the research team, ensuring no malicious exploitation occurred.

The swift response demonstrated the critical importance of responsible disclosure protocols in cybersecurity research. The 24-hour timeline from discovery to fix represents one of the fastest remediation cycles ever recorded for such a high-impact vulnerability affecting internet infrastructure.

How the Exploit Worked

An attacker could have chained together three steps in what's known as a privilege escalation attack:

This would have allowed complete control over domain resolution, effectively enabling man-in-the-middle attacks, phishing campaigns, session hijacking, credential theft, and even manipulation of APIs and web services.

Technical Deep Dive: The vulnerability chain represented a perfect storm of security failures. The SQL injection flaw allowed direct database access, the plaintext password storage violated basic security principles, and the lack of multi-factor authentication on critical domain management functions created multiple single points of failure.

High-Value Targets at Risk

The .to namespace hosts hundreds of millions of indexed pages, including critical domains that process billions of requests daily:

The attack surface was enormous—any service relying on .to for links, redirects, API endpoints, or authentication was exposed to complete domain takeover.

Advanced Exploitation Techniques

Beyond basic domain hijacking, sophisticated attackers could have employed several advanced techniques:

Real-World Exploitation Scenarios

The Broader TLD Security Landscape

This incident exposed systemic vulnerabilities in the global domain infrastructure that extend far beyond a single TLD:

Legacy Infrastructure Risks

Many TLD registrars still operate on decades-old infrastructure with minimal security updates. The .NR TLD (Nauru), for example, runs systems largely unchanged since the early 2000s, with similar vulnerability patterns. Countries with smaller IT budgets often struggle to maintain secure registrar systems, creating potential attack vectors for nation-state actors.

Economic Incentives and Security

The current bug bounty ecosystem creates a perverse incentive structure where critical infrastructure vulnerabilities are often overlooked. While companies pay substantial rewards for application-level flaws, they typically exclude issues in dependencies they don't control—despite these often having far greater impact potential.

Supply Chain Vulnerabilities

TLD registrars represent a critical point in the internet's supply chain. A successful attack on major TLD infrastructure could cascade across millions of websites simultaneously, making them attractive targets for Advanced Persistent Threat (APT) groups and cybercriminal organizations.

Reflections on TLD Security

This case underscores a critical question: who is accountable when vulnerabilities exist in shared infrastructure like TLD registrars? While organizations often pay bug bounties for flaws in their applications, most exclude issues in dependencies they don't directly control. This leaves little incentive for researchers to hunt for registrar or DNS-level flaws—even though such vulnerabilities can have massive, systemic impact.

With over 1,500 TLDs currently in operation, many running outdated or poorly maintained registrar portals, the broader risk is clear. The internet's decentralized structure, while providing resilience against single points of failure, also creates numerous potential attack vectors that are difficult to monitor and secure comprehensively.

Defensive Strategies and Mitigation

Organizations can implement several defensive strategies to reduce their exposure to TLD-level attacks:

Timeline

Lessons Learned and Industry Impact

Domain registrars sit at the root of internet trust, functioning as the foundational layer of the web's security model. Even a short-lived compromise could undermine entire ecosystems, affecting millions of users and billions of dollars in commerce. This case demonstrates the critical importance of:

While the .to issue was swiftly contained through responsible disclosure and rapid response, many other TLDs may be carrying similar risks, waiting to be discovered—hopefully by security researchers rather than malicious actors. The incident has since prompted several other TLD operators to conduct security audits of their own systems.