A vulnerability in SSL.com has resulted in nearly a dozen certificates for legitimate domains being wrongly issued.
April 22, 2025 By Ionut Arghire
A domain control validation (DCV) vulnerability has resulted in SSL.com wrongly issuing nearly a dozen digital certificates for seven legitimate domains.
The bug was discovered and reported by a researcher who abused it to obtain a fraudulent certificate for aliyun.com, the official website for Alibaba Cloud, one of the largest cloud companies.
“SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver’s email address as a verified domain, which is completely erroneous,” the researcher noted in a bug report.