Subdomain takeover dew to missconfigured project settings for Custom domain .
Hi readers ,
Today I will write about Subdomain takeover . It’s a common Security issue what is actually developers mistake when they left a Unused/unclaimed 3rd party Service DNS CNAME record for a subdoamin of theirs and Hackers can claim those subdomains with the help of external services it pointing to what could lead to serious issues . You can learn more about Subdomain takeover from detectify blog .
While testing flock.com I got a domain flock.co what is under flock company . So I stared looking at it’s subdomains and got subdomain newdev.flock.co . When I visited the subdomain in browser I got a error like below screenshot :-
This took my attention . So I checked the DNS record for this domain .
R3liGiOus_HuNt3r$ dig newdev.flock.co
; <<>> DiG 9.10.6 <<>> newdev.flock.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newdev.flock.co. IN A
;; ANSWER SECTION:
newdev.flock.co. 299 IN CNAME cname.readme.io.
cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com.
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 126.96.36.199
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 188.8.131.52
;; Query time: 69 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175
From above record we can say the subdomain is pointing to CNAME cname.readme.io . So I start looking at custom domain documents on readme.io website to understand how they works . From their document I understand that :-
- You need a subdomain pointing to your readme.io subdomain [yoursubdomain.readme.io] .
- Your subdomain should be configured in domains settings in following page https://dash.readme.io/project/<project
So to takeover I need to check if cname.readme.io is alreday claimed of not . But Unfortunately it was already claimed :( . But I have seen many such services doesn’t force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there’s a hope .
I opened a account in readme.io and I got a subdomain newdev.readme.io . Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes .
This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from newdev.readme.io project page .
How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .
If you find a security vulnerability feel free to contact them via email@example.com
Thanks for reading . You can find me on Facebook anytime :- https://www.facebook.com/prial261