SSL.com scrambles to patch certificate issuance vulnerability 

A domain control validation (DCV) vulnerability has resulted in SSL.com wrongly issuing nearly a dozen digital certificates for seven legitimate domains.

The bug was discovered and reported by a researcher who abused it to obtain a fraudulent certificate for aliyun.com, the official website for Alibaba Cloud, one of the largest cloud companies.

“SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver’s email address as a verified domain, which is completely erroneous,” the researcher noted in a bug report.

Read more at Security Week