Subdomain hijacking holes run rampant, say experts

The little-known hacking technique of subdomain hijacking is threatening thousands of sites and their visitors despite efforts to eradicate

Subdomain hijacking holes run rampant, say experts

A well-known but widespread security vulnerability is putting both organizations and their customers at risk of attack.

This according to the team at Certitude Consulting, who were able to find thousands of sites vulnerable to subdomain hijacking attacks.

In a subdomain hijacking account, an attacker seeks out a lapsed subdomain from an old project (say for example "fidgetspinner.company.net") and registers it as their own. If a DNS record has not been updated since the domain lapsed (a common occurrence) the attacker will effectively have a site on "company.net" that appears to be a legitimate subdomain.

This would then open the door for any number of malware, phishing, or social engineering attacks both against customers of the target and employees who could be tricked into thinking the malicious site was an internal portal or project.

Certitude's team of researchers say they were able to find thousands of domains that had such vulnerabilities, including a number of large enterprises and government organizations.

More disturbingly, the Certitude team was able to carry the tactic over to cloud services. Researchers managed to take over subdomains for S3 buckets and wordpress accounts hosted by big names.

"The situation becomes even more concerning as valid TLS certificates were issued for websites hosted on platforms like WordPress or Buzzsprout," noted Certitude security consultant Florian Schweitzer.

"This aspect further magnifies the illusion of content legitimacy, making the potential threats even harder to discern."

This is not a new form of attack, and multiple studies and security efforts have noted how DNS and subdomain hijacking can pose a threat to companies and consumers alike.

Earlier this year Microsoft posted an advisory warning administrators to be on the lookout for dangling DNS addresses on their Azure subdomains.

Schweitzer told The Stack that addressing the issue will require work from both the administrators and service providers, as neither will be able to address the issue on their own.

"Since affected organizations cannot be sure that all their cloud providers implement protections (many do not), they themselves should remove dangling DNS records in their DNS servers. To identify these, they should regularly audit their DNS records and have processes in place to remove them once they discontinue using a cloud service," Schweitzer explained.

"But also cloud service providers should protect their customers from this issue by implementing automatic verifications of subdomain ownership. Such a measure could protect their customers from subdomain hijacking (for the scope of their cloud service only)."