Skip to the content.

DIVD-2022-00007 - Subdomain Takeovers

Our reference DIVD-2022-00007
Case lead Martin van Wingerden
Researcher(s)
CVE(s)
  • n/a
Product Azure, AWS, GitHub, etc
Versions n/a
Recommendation Cleanup unused DNS records
Workaround n/a
Status Closed
Last modified 26 May 2023 13:27

Summary

Subdomain takeovers do not only allow the attacker to publish content on the targets website, but in some case it will also allow reading (session) cookies, perform other attacks such as cross-site scripting or even trick password managers.

Subdomain takeovers typically occur when a CNAME is still pointing to a service which is no longer active, or in some cases because a typo was made while creating the CNAME. Note however, that even when using A / AAAA records you could, in certain cases, still be vulnerable to subdomain takeovers.

Since 2014 subdomain takeovers have been growing problem. Due to the increased adoption of cloud this is also not a issue that will go away easily.

What you can do

What we are doing

We are scanning the internet for vulnerable subdomain, and will attempt to notify system owners via the listed abuse contacts, info@ and security@.

We will continue scanning for potential subdomain takeovers in the future and whenever needed start a new case to track them.

Further details

The vulnerability does not work exactly the same for each service and some/most services offer some sort of security options.

AWS S3

By creating a bucket with a domain-name, eg www.example-bucket.com and setting up a CNAME pointing to the correct region you can easily host a website. However, when this bucket no longer exist anyone can take over the website by creating a bucket in the correct region. This is especially risky when using wildcard DNS records.

AWS Elastic Beanstalk

One case of the Elastic Beanstalk URLs is vulnerable for a subdomain takeover, this is the case where a single part exists before the region, eg: example.eu-central-1.elasticbeanstalk.com. In other cases (such as recent ones, where a hash occurs before region) no vulnerabilities arise, example: example.eu-central-1.hjklfshj.elasticbeanstalk.com

GitHub

CNAMES pointing to any username.github.io are vulnerable if they are not registered and not protected. Please be aware that the username to which the CNAME points provides NO security, the way to protect your (sub)domain is by verifying your custom domain at GitHub.

Azure - App Services

(Sub)domains pointing to Azure App Services (CNAMES pointing to something.azurewebsites.net) can be vulnerable for subdomains takeover. However, a protection is available, unfortunately it is not commonly used, you can configure a domainverification-id in a DNS TXT record

Azure - Other services

Most other services don’t provide additional security measure. If the service is completely removed from Azure while the CNAME is still there, subdomain takeovers are possible.

Unregistered Domains

A special case of subdomain takeovers does not work with cloud providers, in this case a CNAME has been created to another domain name, which is not/no longer registered, by registering this domain one could perform a takeover.

Timeline

Date Description
04 Feb 2022 First DIVD scan of CNAMES of .NL domains pointing to unregistered domains
09 Feb 2022 First scan of CNAMES of .BE domains
13 Feb 2022 DIVD sends out a first batch of notifications to NL domain owners.
13 Feb 2022 DIVD sends out a first batch of notifications to BE domain owners.
13 Feb 2022-
18 Feb 2022
First scan & notify of CNAMES of .DE domains
12 Feb 2022-
18 Feb 2022
First scan & notify of CNAMES of .EU domains
13 Feb 2022-
18 Feb 2022
First scan & notify of CNAMES of .EDU domains
15 Feb 2022-
03 Mar 2022
First scan & notify of CNAMES of .UK domains
14 Feb 2022-
01 Mar 2022
First scan & notify of CNAMES of .ORG domains
18 Feb 2022-
01 Mar 2022
First scan & notify of CNAMES of .IO domains
18 Feb 2022-
01 Mar 2022
First scan & notify of CNAMES of .CO domains
18 Feb 2022-
01 Mar 2022
First scan & notify of CNAMES of .FR domains
01 Mar 2022-
02 Mar 2022
Second scan & notify of CNAMES of .NL domains
01 Mar 2022-
02 Mar 2022
First scan & notify of CNAMES of .DK domains
01 Mar 2022-
02 Mar 2022
First scan & notify of CNAMES of .SE domains
01 Mar 2022-
02 Mar 2022
First scan & notify of CNAMES of .FI domains
01 Mar 2022-
02 Mar 2022
First scan & notify of CNAMES of .NO domains
02 Mar 2022-
03 Mar 2022
First scan & notify of CNAMES of .INT, .HR, .AERO, .TRAVEL, .NGO, .ONG domains
02 Mar 2022-
03 Mar 2022
First scan & notify of CNAMES of .IT domains
02 Mar 2022-
03 Mar 2022
First scan & notify of CNAMES of .US domains
03 Mar 2022-
04 Mar 2022
First scan & notify of CNAMES of .LU domains
03 Mar 2022-
04 Mar 2022
First scan & notify of CNAMES of .IE domains
03 Mar 2022-
04 Mar 2022
First scan & notify of CNAMES of .PT domains
17 Mar 2022-
17 Mar 2022
First scan & notify of CNAMES of .EE domains
03 Mar 2022-
01 Apr 2022
First scan & notify of CNAMES of .NET domains
03 Mar 2022-
01 May 2022
First scan & notify of CNAMES of .APP domains
04 Apr 2022-
01 May 2022
First scan & notify of CNAMES of .COM domains
01 May 2022-
01 May 2022
First scan & notify of CNAMES of .ONLINE domains
28 Oct 2022 Handed out scan result for Belgium to Centre for Cyber Security Belgium (CCB)
gantt title DIVD-2022-00007 - Subdomain Takeovers dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00007 - Subdomain Takeovers (300 days) :2022-02-04, 2022-12-01 section Events First DIVD scan of CNAMES of .NL domains pointing to unregistered domains : milestone, 2022-02-04, 0d First scan of CNAMES of .BE domains : milestone, 2022-02-09, 0d DIVD sends out a first batch of notifications to NL domain owners. : milestone, 2022-02-13, 0d DIVD sends out a first batch of notifications to BE domain owners. : milestone, 2022-02-13, 0d First scan & notify of CNAMES of .DE domains (5 days) : 2022-02-13, 2022-02-18 First scan & notify of CNAMES of .EU domains (6 days) : 2022-02-12, 2022-02-18 First scan & notify of CNAMES of .EDU domains (5 days) : 2022-02-13, 2022-02-18 First scan & notify of CNAMES of .UK domains (16 days) : 2022-02-15, 2022-03-03 First scan & notify of CNAMES of .ORG domains (15 days) : 2022-02-14, 2022-03-01 First scan & notify of CNAMES of .IO domains (11 days) : 2022-02-18, 2022-03-01 First scan & notify of CNAMES of .CO domains (11 days) : 2022-02-18, 2022-03-01 First scan & notify of CNAMES of .FR domains (11 days) : 2022-02-18, 2022-03-01 Second scan & notify of CNAMES of .NL domains (1 days) : 2022-03-01, 2022-03-02 First scan & notify of CNAMES of .DK domains (1 days) : 2022-03-01, 2022-03-02 First scan & notify of CNAMES of .SE domains (1 days) : 2022-03-01, 2022-03-02 First scan & notify of CNAMES of .FI domains (1 days) : 2022-03-01, 2022-03-02 First scan & notify of CNAMES of .NO domains (1 days) : 2022-03-01, 2022-03-02 First scan & notify of CNAMES of .INT, .HR, .AERO, .TRAVEL, .NGO, .ONG domains (1 days) : 2022-03-02, 2022-03-03 First scan & notify of CNAMES of .IT domains (1 days) : 2022-03-02, 2022-03-03 First scan & notify of CNAMES of .US domains (1 days) : 2022-03-02, 2022-03-03 First scan & notify of CNAMES of .LU domains (1 days) : 2022-03-03, 2022-03-04 First scan & notify of CNAMES of .IE domains (1 days) : 2022-03-03, 2022-03-04 First scan & notify of CNAMES of .PT domains (1 days) : 2022-03-03, 2022-03-04 First scan & notify of CNAMES of .EE domains (0 days) : 2022-03-17, 2022-03-17 First scan & notify of CNAMES of .NET domains (29 days) : 2022-03-03, 2022-04-01 First scan & notify of CNAMES of .APP domains (59 days) : 2022-03-03, 2022-05-01 First scan & notify of CNAMES of .COM domains (27 days) : 2022-04-04, 2022-05-01 First scan & notify of CNAMES of .ONLINE domains (0 days) : 2022-05-01, 2022-05-01 Handed out scan result for Belgium to Centre for Cyber Security Belgium (CCB) : milestone, 2022-10-28, 0d

More information