Mai rejista APNIC, wanda ke da alhakin rarraba adiresoshin IP a yankin Asiya-Pacific, ya ba da rahoton wani lamari wanda wani juji na Whois SQL mai ɗauke da bayanai masu mahimmanci da hashes na kalmar sirri ya fito fili. Yana da kyau a lura cewa wannan ba shine farkon fitowar bayanan sirri ba a cikin APNIC - a cikin 2017, bayanan Whois ya riga ya kasance a cikin jama'a kuma saboda kulawar ma'aikata.
A cikin aiwatar da aiwatar da goyon baya ga yarjejeniyar RDAP, wanda aka tsara don maye gurbin ka'idar WHOIS, ma'aikatan APNIC sun sanya juji na SQL na bayanan da aka yi amfani da su a cikin sabis na Whois a cikin Google Cloud, amma ba su hana yin amfani da shi ba. Sakamakon kuskure a cikin saitunan, zubar da SQL ya kasance a bainar jama'a na tsawon watanni uku, kuma wannan gaskiyar ta bayyana ne kawai a ranar 4 ga Yuni, lokacin da ɗaya daga cikin masu binciken tsaro mai zaman kansa ya jawo hankali ga wannan kuma ya sanar da magatakarda game da matsalar.
Jujiyar SQL ta ƙunshi sifofin "auth" masu ɗauke da hashes na kalmar sirri don gyara abubuwan Kulawa da Taimakon Amsa (IRT), da kuma wasu mahimman bayanai game da abokan ciniki waɗanda ba a nunawa a cikin Whois yayin tambayoyin al'ada (yawanci waɗannan ƙarin bayanan tuntuɓar ne da bayanin kula. game da mai amfani). Game da dawo da kalmar sirri, maharan sun sami damar canza abubuwan da ke cikin filayen tare da ma'auni na masu tubalan adiresoshin IP a cikin Whois. Abun Mai Kulawa yana bayyana mutumin da ke da alhakin canza rukunin bayanan da aka haɗa ta sifa ta "mnt-by", kuma abin IRT ya ƙunshi bayanan tuntuɓar masu gudanarwa waɗanda ke amsa sanarwar matsala. Ba a bayar da bayani game da kalmar sirri hashing algorithm da aka yi amfani da ita ba, amma a cikin 2017 an yi amfani da MD5 da suka wuce da CRYPT-PW algorithms (masu kalmar sirri tare da hashes dangane da aikin UNIX crypt) don yin hashing.
Bayan gano abin da ya faru, APNIC ta ƙaddamar da sake saitin kalmomin shiga don abubuwa a cikin Whois. A bangaren APNIC, har yanzu ba a gano alamun ayyukan da ba su dace ba, amma babu tabbacin cewa bayanan ba su fada hannun masu kutse ba, tunda babu cikakken bayanan shiga cikin fayiloli a Google Cloud. Kamar dai bayan faruwar lamarin na baya, APNIC ta yi alƙawarin gudanar da bincike tare da yin sauye-sauye kan hanyoyin fasaha don hana irin wannan yaɗuwar a nan gaba.
source: budenet.ru