MasterCard has addressed a critical flaw in its Domain Name System (DNS) configuration that allowed anyone to intercept or redirect the company’s internet traffic by registering an unused domain. This vulnerability, which persisted for nearly five years, was resolved thanks to the efforts of an independent security researcher who spent $300 to register the domain and prevent its exploitation by cybercriminals.
From June 30, 2020, to January 14, 2025, one of MasterCard’s key DNS servers, responsible for managing traffic for parts of the “mastercard[.]com” network, was misconfigured. Instead of referencing the correct server name ending in “akam.net,” the configuration pointed to a misspelled domain, “akam.ne,” which belongs to the top-level domain of Niger in West Africa.
The flaw was discovered by Philippe Caturelli, founder of the security company Seralys. Realizing that the domain “akam.ne” was unregistered, Caturelli decided to acquire it. The registration process took nearly three months and involved paying a registration fee. Once the DNS server on the new domain was configured, Caturelli observed hundreds of thousands of requests from around the world, most of which were linked to MasterCard.
Caturelli noted that he could have exploited the situation by, for instance, obtaining SSL/TLS encryption certificates for fraudulent websites or intercepting MasterCard employees’ credentials. However, he chose to report the issue to the company and offered to transfer ownership of the domain. MasterCard acknowledged the problem and rectified its configuration, asserting that the system faced no actual risk.
Subsequently, MasterCard reached out to Caturelli via the Bugcrowd platform, accusing him of breaching ethical security standards for publishing details of the issue on LinkedIn. Caturelli countered that he had not used Bugcrowd to report the vulnerability and had proactively mitigated potential risks by securing the domain.
Caturelli emphasized that the error could have posed significant security risks, as public DNS resolvers like Google or Cloudflare might cache incorrect data. This would have allowed malicious actors to redirect substantial amounts of traffic by exploiting the vulnerability.
He concluded his LinkedIn post with a pointed remark: “Don’t be like MasterCard. Don’t ignore risks, and don’t let marketing teams handle security issues.”
