Subdomain takeover is a DNS issue that can harm a company’s credibility. Despite everything, too many of them let it continue.
Any business with a website also has subdomains. These prefixes of the main domain name are essential to bring order to the content and services of the site and prevent visitors from fleeing it immediately, out of fear, contempt or confusion. Large companies can have thousands of subdomains. IBM, for example, has about 60,000 subdomains, compared to “only” 2,132 for Walmart.com. Whatever value subdomains bring to businesses (and they bring a lot of it), they represent additional targets for bad actors. Last year, the subdomains of big companies like Chevron, 3M, Warner Brothers, Honeywell and many others were hijacked by hackers who redirected visitors to porn sites, malware, gaming online money and other questionable activities.
TechRadar wrote about this: “This is a recurring issue for Azure-hosted sites.” The tech site was referring to March 2020. At the time, exploit and vulnerability alert service Vullnerability said it found more than 670 vulnerable Microsoft subdomains after an automated scan. Vullnerability blamed Microsoft’s poor domain name service (DNS) practices. (Note, though, that Microsoft has a staggering 122,571 subdomains). According to Vullnerability, the risk of subdomain takeover becomes possible after the expiration of hosting services or in the event of DNS configuration errors. When attackers manage to gain full privileges on a system after taking control of the subdomain, they can upload files, create databases, monitor data traffic, and clone the main website.
Beware of Related Domain Attacks
Worse still, “it is impossible to detect that the subdomain” has been hijacked, which leaves the company’s system vulnerable to different types of attacks. In a new article which will be presented on the 30e security symposium USENIX Security Symposium which will take place from August 11 to 13, researchers from the Vienna University of Technology will present their work on “related domain” attacks and give some advice to IT professionals to protect themselves against subdomain attacks. “In addition to DNS misconfigurations, subdomains can be exploited if assigned to untrusted users,” the article also states. “Unresolved DNS entries”, i.e. entries pointing to expired resources, can be taken over by unauthorized parties. Interrupted third-party services may also provide the ability to break into a system. According to the researchers, the consequences can be even more serious. In particular, the takeover of DNS subdomains can enable session hijacking attacks, session fixation attacks, circumvention of all web security and can facilitate phishing attacks. To name just a few. There are so many ways to exploit subdomains to carry out attacks that it’s depressing.
Fortunately, on their website, the researchers also give useful advice on how to fix it. To identify which subdomains are potentially vulnerable to a takeover, they suggest “reviewing all CNAME-type DNS entries pointing to external domains, as well as all A/AAAA entries pointing to IP addresses that are not directly controlled by the company, for example those of service and cloud providers”. If the links are no longer active, “the corresponding DNS entries must be deleted”. And if you want to protect your web applications against exploitation, web developers must “establish security policies according to the principle of least privilege, that is, to restrict the attack surface as much as possible”. further recommend the researchers. Certainly, “limiting the attack surface as much as possible” reduces the risk. Developers are also advised to “consider using the __Host- cookie prefix if the cookies set by the web application do not need to be shared with other related domains.”
Lack of reactions
But despite this advice, the researchers found that six months after notifying the owners of the websites they tested of the potential vulnerabilities, “85% of the subdomains we tested were still affected by takeover vulnerabilities.” subdomain check”. We can only recommend that companies make an effort in this regard. Bottom Line: It’s easy to lose track of subdomains, especially for a large company. But ignoring them presents certain risks.