Security researcher Philippe Caturegli discovered a misconfiguration in Mastercard’s domain name system (DNS) records that could allow an attacker to redirect traffic to nefarious sites.
The typo in the DNS entries meant that some traffic was being directed to the domain a22-65.akam.ne, instead of the correct domain a22-65.akam.ne.
The researcher responsible for discovering the error, bought the domain for $300 to prevent it being used for malicious means, before alerting the card issuer.
In response to his actions, Mastercard asked him to remove a LinkedIn post about the error, and also stated that ethical security practices state researchers should not publicly disclose an issue before fixing it.
The post alleged that Mastercard’s response showed the company did not appreciate the issue, and worse, that its actions were an attempt to silence the researcher.