Friday, February 24, 2017

Subdomain Takeover 2

So, (referring to my previous post) after the initial post about subdomain takeover by researchers from Detectify, they were contacted by another security researcher named Szymon Gruszeck. He provided them with another method and its POC to take over a subdomain which he had found a year back. You can find his post here.

Screenshot of the website racing.msn.com used for his POC:

So, my TL;DR for this attack is:

Overview:
A subdomain can simply be taken over if it has a CNAME pointing to an expired domain.

Attack Scenario:
1) The attacker finds a subdomain(victim's subdomain) whose CNAME is pointed to a domain whose registration has expired.
2) The attacker simply buys the expired domain and phishes anyone that visits the site.

 Example:
The researcher performed the attack for the subdomain racing.msn.com whose CNAME was pointing to an expired msnbrickyardsweeps.com.

 Further attack: 
1) Attacker can create a valid SSL certificate for his own website and the victim will implicitly trust the domain because the browser will show the https secured symbol.

 Requirements:
Victim's current subdomain needs to be pointing to an expired domain that can be bought

Cause:
1) Victim's mistake. Again.
2) Service provider for the domain does no validation. But you can hardly blame them here.

 Extent:
1) As mentioned in previous post, most service providers of domains do not verify domain ownership
2) More importantly, the same attack can be performed with DNAME, NS and MX fields. 

 Look at Detectify's blog post for more details. Have fun!




Posted by at No comments:
Labels: , , , , , , , , , , , ,

Tuesday, February 21, 2017

Subdomain Takeover used to hack President Trump's website!

On 19th Feb, President Trump's website, secure2.donaldjtrump.com, was hacked by the Iraqi hacker calling himself "Pro_Mast3r". The website was defaced to the following:
 Credit: g33xter
However, the interesting bit is that, apparently, this hacker contacted the security news reporter Brian Krebs saying that he used the Subdomain Takeover attack described here to do so. 

So, here's my TL;DR about it.

 Attack Scenario:
1) The victim has a website setup on the subdomain of one of the several service providers like Heroku, Github, Bitbucket, etc.
2) The victim is no longer using that service but they did not remove the redirect to it.
3) Attacker creates an account with the service provider claiming that the domain is theirs.
4) Attacker uses the domain to phish legitimate users.

 Requirements:
1) Victim must still redirect to the subdomain in some way.
2) Victim must not own/use that subdomain anymore. 

 Cause:
1) Victim's mistake, obviously.
2) Service providers do not verify subdomain ownership.

 Extent:
Detectify has identified 17 providers (which became over a 100) that did not verify subdomain ownership,Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr.

 For further details read their blogpost. Enjoy.

Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)