Subdomain Takeover through External Services
Being a developer can be a stressful job — following the request of your employer, creating website designs, making every button and features functional, managing the database, working on additional features, and finishing your work before deadlines. These are just some of the things that developers encounter on a daily basis. Given that they have a lot in mind, developers often forget to manage working web pages — which gives hackers an open door to attack using subdomain takeover.
What is a Subdomain Takeover?
Subdomain Takeover is an attack targeting subdomains of a website causing a widespread DNS Misconfiguration. By doing this, the hacker can take full control of the subdomains. Subdomain Takeover can be done by using external services such as Desk, Squarespace, Shopify, Github, Tumblr, and Heroku.
Recently, an employee of GetWhiteHats found 3 subdomain takeovers– one on 9gag using desk.com, one on PythonPH using Heroku, and one on BitMarket using Tumblr. These attacks were validly reported on their respective responsible disclosure programs, and was fixed and acknowledged.
Here is a step by step example of attack done to 9gag.com as reported by our employee.
Example Attack:
First, He needed to know the subdomains of the target, but for it to be easier he used a Python Tool that let him enumerate the subdomains.
Then, he found out that contact.9gag.com is pointed to 9gag.desk.com.
He immediately saw that their account on their external service in desk.com has already expired. It means that contact.9gag.com is vulnerable to subdomain takeover attack.
So the next thing he did was to register an account at desk.com using 9gag as ‘my company’ to create a url(9gag.desk.com) on desk.com then once registered, the next step is to put contact.9gag.com as the web address.
After some tweaks and turns, he now own 9gag.desk.com. So, it means that he has the complete control over contact.9gag.com.
Why is it dangerous?
1. It is amazingly easy to sign up for a new account and claim the domain name.
2. By having the domain, an attacker can build a complete clone of the site, add a login form that will redirect the user to a certain page, steal valuable credentials like admin accounts, steal cookies, or completely destroy the credibility of your company.
3. It is a covert operation that even the domain owner won’t notice. The attacker won’t leave any traces; even your IDS cannot monitor this.
4. Your Service Provider is unlikely to fix this in a feasible way.
How do you prevent this kind of attacks?
As you can see, not even 9gag, one of the most visited websites, is safe from this attack. On the bright side, it is easy to prevent this kind of attack.
If you’ve forgotten that your subdomain is pointed to an external service which you don’t update, then you just have to remove the DNS-configuration of the external service on your subdomain.
I hope we all learned a great lesson after reading this.
Credits to Detectify
