DeepSec 2025 Talk: ∞ Day at Scale: Hijacking Registrars, Defeating 2FA and Spoofing 17,000+ Domains Even with DMARC – Alessandro Bertoldi

Sanna/ October 3, 2025/ Conference/ 0 comments

What happens when a registrar is the weakest link in your security chain? This talk reveals how systemic failures in credential recovery, 2FA bypass, and email spoofing allow persistent exploitation—even when domains have SPF, DKIM, and DMARC p=reject properly configured. Based on real-world research conducted between 2018 and 2025, we present ∞-day (forever-day) vulnerabilities affecting over 17,000 domains—including cross-tenant spoofing in N-Able Mail Assure and flaws in Register.it’s identity recovery procedures. We’ll show full control over customer panels with zero credentials, using only PDF forms and social engineering.

We’ll also propose a concrete solution: a Reliability Scoring System for registrars and a “Green Check” trust mark for end users, integrated with RDAP and aligned with the NIS2 directive. This talk challenges assumptions about authentication, identity, and trust in Internet infrastructure—and offers both attack and defense insights.

We asked Alessandro a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. Forever-Day Vulnerabilities Persist: We have documented vulnerabilities left unpatched for years, including a cross-tenant spoofing flaw in N-Able Mail Assure that affects 17,000+ domains and completely bypasses DMARC protection.
  2. 2FA Can Be Bypassed via Social Engineering: Our research shows how attackers can reset credentials and disable two-factor authentication using only PDF forms, forged IDs, and non-anonymized WHOIS data—even a year after the initial disclosure.
  3. Major Companies Make Elementary Mistakes: We identified a misconfigured DMARC setting in Gmail.com where the quarantine policy was applied only to subdomains, leaving the main domain with weaker protection.
  4. Large-Scale Registrar Hijacking: By exploiting public WHOIS data and weak self-certification processes, attackers can use credential recovery flows to gain full control over registrar account panels without knowing usernames, passwords, or 2FA codes.
  5. Proposed Regulatory Solution: We introduce a concrete trust-scoring system based on RDAP and a browser-integrated “Green Check” that would create mandatory security standards aligned with the European NIS2 directive.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

During our penetration testing work, frustration sparked when we could identify and report critical vulnerabilities without having a mechanism to ensure they were actually fixed. We observed the same fundamental flaws persisting across multiple registrars and email providers for years. The breaking point was discovering that a vulnerability reported to SolarWinds in 2018 was still exploitable in 2025, now impacting thousands of domains under N-Able Mail Assure. This was not just a technical failure—it was a systemic breakdown where responsibility was diffuse and security remained optional. We realized voluntary disclosure wasn’t enough. The industry needed mandatory standards with visible consequences for non-compliance, similar to how SSL certificates created market pressure for HTTPS adoption.

Why do you think this is an important topic?

This topic is critical because these vulnerabilities affect the foundational trust infrastructure of the internet. When domain registrars and email providers can be compromised through simple social engineering, it undermines the entire digital ecosystem that businesses and individuals rely on daily. The persistence of these flaws—some unpatched for over six years—reveals a systemic failure in how the industry handles security. Without mandatory standards and visible accountability, organizations have little incentive to fix known vulnerabilities, leaving millions of users exposed to preventable attacks.

Furthermore, as organizations increasingly rely on cloud services and third-party providers, these procedural vulnerabilities become attack multipliers. A single compromised registrar account can lead to domain hijacking, email interception, and complete business disruption. The fact that attackers can bypass technical security controls like 2FA through paperwork alone shows that we’re fighting yesterday’s war while ignoring today’s real threats.

Is there something you want everybody to know – some good advice for our readers maybe?

For Organizations: Don’t assume your registrar or email provider has adequate security just because they are established. Verify their identity verification processes, check if they support proper 2FA, and review their incident response history if published. Treat WHOIS privacy protection as a baseline security measure, not a luxury.

For Security Teams: Focus on procedural vulnerabilities alongside technical ones. Social engineering attacks against service providers can bypass all your internal security controls. Document and test your credential recovery processes—they are often the weakest link.

For the Industry: We must move beyond voluntary security measures. Create accountability through transparency. Publish security scorecards, maintain public incident databases, and support regulatory frameworks that make security compliance visible to customers and business partners.

Most importantly, remember that security is only as strong as its weakest procedural link. Technical solutions mean nothing if an attacker can simply call customer service and submit a PDF form to recover credentials because policy allows it.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Short term (2–3 years): We will see increasing regulatory pressure following NIS2 implementation, leading to mandatory security certifications for critical infrastructure providers including registrars. Browser vendors will likely implement some form of trust indicators, though not as comprehensive as our initially proposed system.

Medium term (5–7 years): The concept of “procedural attack surfaces” will go mainstream in security frameworks. Organizations will begin treating their supplier relationships and service provider processes as critical security boundaries requiring the same rigor as network perimeters.

Long-term concerns: As AI makes social engineering attacks more sophisticated and scalable, the gap between organizations with robust procedural security and those relying on “security through obscurity”—hiding vulnerabilities or weak processes hoping they won’t be discovered—will become a key competitive differentiator. We may see the emergence of “security cartels” where only pre-verified high-security providers can participate in certain business ecosystems.

Innovation opportunity: Real-time automated verification of security posture will become standard. Instead of annual audits, we will have continuous monitoring systems that can instantly validate a provider’s security claims and alert customers to changes in risk profile.

Organizations that understand this shift from technical to procedural security will have a significant advantage in an increasingly regulated digital landscape.

 

Alessandro Bertoldi is an independent cybersecurity researcher and the lead investigator behind several high-impact vulnerability disclosures affecting domain registrars, email providers, and public infrastructure. His work focuses on ∞-day (forever-day) vulnerabilities, identity recovery flaws, and process-layer attack chains. Alessandro has collaborated with peers in coordinated disclosure efforts, and his current research intersects offensive security, regulatory compliance (NIS2), and protocol governance (WHOIS/RDAP).

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.