VeriSign has denied claims of an alleged security vulnerability recently identified by Comodo.
According to Comodo CEO Melih Abdulhayoglu, the vulnerability could theoretically allow hackers to access VeriSign customer accounts – including a major financial institution – without proper authentication.
“The vulnerability involves a simple search for a specific keyword, which then leads to a VeriSign account public access page. So, access to these accounts are only a pass phrase away. Think about it: malicious hackers from Russia or China can simply brute force their way past the password. Remember, security is only as good as its weakest link,” Abdulhayoglu told TG Daily.
“Unfortunately, VeriSign has not accepted our analysis of the vulnerability. They are not seeing the problem and have told us that (second tier) challenge phrases are surrounded by stringent security and are monitored. But this is certainly not an acceptable policy and that is is the crux of the problem.”
Abdulhayoglu also emphasized that VeriSign had been notified of the supposed vulnerability by an independent third-party as early as last Tuesday.
“When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem…We wasted no time to help correct the problem even though it wasn’t ours to begin with.
“[Although] Comodo is not in a position to fully evaluate the scope of the vulnerability, [we] believe it is a significant security concern for VeriSign’s customers (and users of their customer’s Web sites) that rely on secure SSL Digital Certificates to transmit business and personal data.”
Unsurprisingly, a VeriSign spokesperson told TG Daily that Comodo had neither “discovered nor announced” any serious vulnerability.
“By their nature these pages are publicly accessible and access to these pages does not constitute a security flaw,” said the spokesperson.
“There is no private information available from these pages, and certificate requests go through evaluation by the enterprise’s designated certificate administration body before any certificate is issued. Comodo’s claim that it detected a ‘major security vulnerability’ that affects its customers’ Web sites, including a major financial institution, is categorically false.”
