Editor's note (August 2022): This post has been updated and republished on the Halo Security blog. View updated version ➝
Subdomain takeover attacks pose serious risk to organizations around the world. While this type of attack is being discussed more and more, many organizations do not understand the full impact and the risk is often minimized. In this post, we’ll shed more light on the real consequences of subdomain takeovers and share recommendations on how to stay protected from them.
What is a subdomain takeover?
Let’s take a moment to first understand what a subdomain takeover is at a high level (we’ll dive in deeper later in this post).
A subdomain takeover is a situation in which a malicious actor is able to control some or all of the content on a given subdomain. There are two ways to carry out this attack, which we’ve classified as Type 1 and Type 2 subdomain takeovers.
A Type 1 subdomain takeover is a full DNS takeover. In this situation, the attacker compromises a vulnerable subdomain and then uses it to carry out various types of attacks on the owner of that subdomain. These attacks can be anything from setting up a phishing website to serving malicious content to stealing cookies and customer information.
In a Type 2 subdomain takeover, the attacker compromises the target through a third-party service that the subdomain is pointing to. What typically happens is the target’s account with the third-party service gets deleted or delisted in some way, but the DNS record still remains. The attacker can then go in and make use of the existing DNS record by creating a new account using the old information, and they now control it.
In both cases, the site owner may not realize they’ve fallen victim to a takeover until it’s too late.
Who is vulnerable to subdomain takeover?
Now that you have an understanding of what a subdomain takeover is, let’s take a look at who’s susceptible to an attack.
Unfortunately, there are a lot more organizations at risk of this type of attack than many realize. According to a recent study of the top 50,000 sites on the Tranco list, 1,520 subdomains across 887 sites were found vulnerable to takeover. Of those sites, 83% were vulnerable because of discontinued third-party services. The remaining 17% were vulnerable due to expired domains.
Additionally, security researchers at RedHunt Labs have discovered more than 400,000 subdomains with misconfigured CNAME records, leaving many at risk of malicious takeover.
There have been several examples of high-profile organizations that were found to be susceptible to subdomain takeover in recent years. In December 2020, an Israeli research group made EA aware of several domain takeover vulnerabilities that would possibly allow attackers to send and read emails from the domains and operate a spoofed site.
In 2017, we learned how a researcher was able to steal valid session cookies on uber.com through SSO due to cookie sharing. And in 2019, Starbucks was vulnerable to session hijacking and cross-site scripting because of a forgotten subdomain that was pointing to a non-existent Azure cloud resource.
How does an attacker carry out a subdomain takeover attack?
The most common type of subdomain takeover begins with a malicious actor identifying a CNAME record that is pointing to an orphaned resource, otherwise known as a danging DNS record. Once the dangling DNS record has been identified, there are three primary attack vectors that can lead to further exploitation.
These attack vectors include discontinued services, such as Shopify, GitHub, and Tumblr, deprovisioned infrastructure instances, like Azure websites, Azure Traffic Manager, and AWS S3 buckets, and expired domains. Depending on the attack vector that is exploited, the malicious actor will control some or all of the content on the subdomain, allowing them to launch attacks on the primary or a related domain.
Let’s drill down into how a malicious actor uses these attack vectors. We’ll start with a common Type 1 subdomain takeover scenario.
Check out our recent webinar to see a demonstration of a Type 2 subdomain takeover played out step by step.
How to prevent a subdomain takeover
The best way to prevent a subdomain takeover is by having a complete understanding of what’s on your attack surface. Because the attack surface is constantly changing and evolving, this means you need to have tools in place that are continuously discovering and monitoring your domains, subdomains, and their connections for broken resources so that you can find and fix any issues before an attacker can compromise them.
Because subdomain takeovers typically require remarkably few technical skills from an attacker and can be difficult to detect, they present a significant risk to all businesses. Don’t wait until it’s too late to protect your organization. Book a meeting with TrustedSite’s security experts to get a free evaluation of your risk to subdomain takeover.