Forgotten subdomains boost risk of account hijacking, other attacks
Back in October, a Web security firm called Detectify warned that many companies have created subdomains to use with third-party services, such as remotely hosted helpdesk systems, code repositories and blogs, but then forgot to disable them after closing their accounts on those third-party services.
As a result, attackers can now open accounts with the same services, claim the subdomains pointed there as their own, and create credible phishing pages, the Detectify researchers explained at the time. This is possible because online services often don't verify the ownership of subdomains.
But the issues stemming from outdated DNS records are not limited to abuse through accounts on third-party services. Since October, Szymon Gruszecki, an independent security researcher who regularly participates in bug bounty programs, has told Detectify about another attack vector: subdomains pointed to domain names that are no longer registered.
In such a case, a company has created a subdomain under its main domain and pointed it at another website, such as a site set up for a one-time event like a contest or promotion. After serving its purpose, that website was later taken down and its domain was left to expire, but the subdomain's DNS records remained pointed at it.
An attacker could exploit such a situation by registering the expired domain and setting up a phishing page that mimics the company's main website. The page would then be accessible through the forgotten subdomain and could be spammed to users.
One year ago, Gruszecki scanned the Internet's 5,000 most trafficked domains as listed by Amazon.com subsidiary Alexa Internet. He found 49 subdomains that had a CNAME (Canonical Name) DNS record pointing to a domain that was no longer registered.
One of those subdomains was the Microsoft-owned racing.msn.com, which points to msnbrickyardsweeps.com. According to a November 2001 snapshot of msnbrickyardsweeps.com on the Internet Archive's Wayback Machine, the site was used for a Microsoft Windows XP peak performance sweepstakes.
Gruszecki registered msnbrickyardsweeps.com and was able to set up a rogue page on racing.msn.com as a proof of concept. He has since redirected the domain to Bing.com and is waiting for Microsoft to update the CNAME record for racing.msn.com.
The danger extends beyond mere phishing. If a subdomain doesn't have its own MX (mail exchanger) record configured -- and most don't -- it uses the same email server as the domain specified in the CNAME record. In other words, the owner of msnbrickyardsweeps.com would also be able to receive and send email on behalf of @racing.msn.com email addresses.
If a subdomain like something.example.com is vulnerable, an attacker could use email addresses like webmaster@something.example.com or postmaster@something.example.com to prove his ownership over that subdomain and register a valid SSL certificate, said Frans Rosén, co-founder of Detectify.
The attacker could then set up an HTTPS (HTTP Secure) website on the something.example.com subdomain and trick example.com users to visit it in order to steal their authentication cookies.
Authentication cookies are unique identifiers that websites store in browsers to track authenticated users after they sign in. If stolen, for example by intercepting the traffic between a user's browser and a website, an authentication cookie can be placed into another browser to gain access to the account it corresponds to.
In order to prevent such man-in-the-middle cookie thefts, webmasters use SSL to encrypt the traffic between users' browsers and their websites and set a "Secure" flag for cookies so that they only get transmitted over HTTPS connections.
Many sites set cookies to be valid not only for their main domain, but for all subdomains under that domain. That's why after you log into your Google or Microsoft account you will be logged into all of those companies' services, even though the various services use different subdomains.
The cookie theft issue doesn't apply to racing.msn.com because msn.com is not an HTTPS website, and the log-in process is actually handled through live.com, so the cookies are tied to that domain. However, the attack could be possible on other sites that have similarly vulnerable subdomains.
In addition to cookie theft, the ability to load arbitrary code on a subdomain could also help attackers to bypass same-origin and cross-domain security restrictions for the corresponding domain.
"It's not only CNAME entries that can be vulnerable to this, other records can also be used, such as DNAME and NS," the Detectify researchers said in a blog post.
In addition to DNS resource records pointing to expired domains, Gruszecki found instances where the entries had been mistyped -- instead of www.example.com, the administrator typed wwwexample.com. In such a case, the attacker could register wwwexample.com.
"In conclusion, even though the administration of DNS records is a hassle by itself, the Resource Records need to be constantly validated and checked," the Detectify researchers said. "Not only for unused services, but for typos and/or misconfigurations."