MasterCard's 5-Year DNS Typo
AI-created, human-edited.
A simple typo in MasterCard's DNS configuration went unnoticed for nearly five years, potentially exposing one of the world's largest payment processors to serious security risks. This revelation, first reported by Brian Krebs and discussed in detail on the Security Now podcast with Steve Gibson, highlights how even minor oversights can create major vulnerabilities in critical financial infrastructure.
Security researcher Philippe Cataregli recently uncovered a critical DNS configuration error in MasterCard's domain settings. The mistake? A missing letter 't' in one of MasterCard's five DNS server configurations, where "akamnet" was mistyped as "akamne." This seemingly insignificant error persisted from June 2020 until January 2025, when Cataregli took action.
As Steve Gibson emphasized during the podcast discussion, the severity of this misconfiguration cannot be overstated. Here's why:
- The unregistered domain (akamne) could have been purchased by malicious actors, potentially allowing them to:
- Intercept email traffic intended for MasterCard
- Obtain unauthorized website encryption certificates
- Potentially capture Windows authentication credentials from employee computers
- Control approximately one-fifth of MasterCard's DNS traffic
- The impact could have been even more significant due to DNS caching mechanisms. As Gibson explained, with properly set TTL (Time To Live) values, attackers could have potentially redirected far more than just one-fifth of the traffic.
Cataregli took the responsible approach by:
- Spending $300 to register the domain through Niger's registry
- Waiting three months to secure the registration
- Immediately alerting MasterCard about the vulnerability
- Documenting hundreds of thousands of daily DNS requests from locations worldwide
MasterCard's response was swift but arguably understated. The company acknowledged the typo but maintained there was "not a risk to our systems." Gibson and the Security Now team disagreed with this assessment, noting that while MasterCard's internal systems might not have been directly at risk, their customers' security certainly was.
This incident raises several important questions about DNS security:
- How many similar typos exist in other organizations' DNS configurations?
- Why did standard security audits fail to catch this error for nearly five years?
- What role should bug bounty programs play in these situations?
As Gibson noted, the gravity of this vulnerability rivals that of the Dan Kaminsky DNS cache poisoning discovery, which prompted an emergency industry-wide patch deployment.
This incident serves as a stark reminder that in cybersecurity, the smallest oversights can create the largest vulnerabilities. It also highlights the vital role of independent security researchers in identifying and responsibly disclosing such issues.
