Pakistan registrar explains how Microsoft, Google were hit by domain hijack

PKNIC, which administers the .pk top level domain, says a vulnerability that briefly popped up during a security update on its servers was responsible for the redirecting that hit many Pakistani websites last weekend. It maintains it wasn't a hack, though.

The registrar that manages the Pakistani top level domain has explained how a vulnerability in its systems allowed the hijacking and defacement of many .pk domains, including those for Google and Microsoft, last weekend.

After the domains were attacked , a hacker group claimed that the PKNIC registrar had been the vector. Early on Wednesday, PKNIC confirmed this in part, adding in an email to ZDNet UK that it had held off making a statement until now so that it could fully assess the damage and notify affected users.

In a statement on its website, PKNIC claimed four of its user accounts had been breached, affecting seven DNS servers. "That led to several website addresses to be redirected to a blank message page for a few hours," the statement read.

This does not tally with the fact that visitors to and found themselves looking at a pair of penguins and a strange message in Turkish. ZDNet UK has asked PKNIC to explain the discrepancies.

[UPDATE: PKNIC has now updated its statement to reflect the fact that the redirects took users to the penguin page, rather than a blank page.]

In any event, PKNIC maintains it was not hacked. Ironically, the registrar said the vulnerability on its servers arose briefly during a security upgrade.

"We take the security of our servers and client data very seriously, and routinely study and analyse hundreds of thousands of vulnerability attack vectors that we have collected over the years," PKNIC executive chairman Ashar Nisar said in the statement.

"During our update to strengthen security, particularly regarding attacks of the "SQL injection" kind, a more complex system had been installed. However, it inadvertently left open a vulnerability, under certain obscure conditions and contexts, that was used in the recent attack."

According to Nishar, the team subsequently reverted to the original model of "filtering out everything unknown", rather than "using more complicated algorithms" as it had intended to do.

PKNIC said there was no interruption to its root DNS, nor had any phishing attacks been carried out through any of the redirected sites. It also said it would kick off a bug bounty scheme , similar to those employed by some of the big online services.

"Among new initiatives at PKNIC, we plan to invite friendly hackers to test drive the security of our systems," Nishar said. "An announcement about a reward program for such developers and hackers will be announced shortly, as is done by leading global companies, like Google and others."