Subdomain takeover dew to missconfigured project settings for Custom domain .

Prial Islam Khan
Oct 25, 2018 · 3 min read

Hi readers ,

Today I will write about Subdomain takeover . It’s a common Security issue what is actually developers mistake when they left a Unused/unclaimed 3rd party Service DNS CNAME record for a subdoamin of theirs and Hackers can claim those subdomains with the help of external services it pointing to what could lead to serious issues . You can learn more about Subdomain takeover from detectify blog .

While testing flock.com I got a domain flock.co what is under flock company . So I stared looking at it’s subdomains and got subdomain newdev.flock.co . When I visited the subdomain in browser I got a error like below screenshot :-

Error Page

This took my attention . So I checked the DNS record for this domain .

R3liGiOus_HuNt3r$ dig newdev.flock.co; <<>> DiG 9.10.6 <<>> newdev.flock.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newdev.flock.co. IN A
;; ANSWER SECTION:
newdev.flock.co. 299 IN CNAME cname.readme.io.
cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com.
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.0.214.29
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.5.249.117
;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From above record we can say the subdomain is pointing to CNAME cname.readme.io . So I start looking at custom domain documents on readme.io website to understand how they works . From their document I understand that :-

  • You need a subdomain pointing to your readme.io subdomain [yoursubdomain.readme.io] .
  • Your subdomain should be configured in domains settings in following page https://dash.readme.io/project/<project
    _Name>/v1.0/domains

So to takeover I need to check if cname.readme.io is alreday claimed of not . But Unfortunately it was already claimed :( . But I have seen many such services doesn’t force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there’s a hope .

I opened a account in readme.io and I got a subdomain newdev.readme.io . Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes .

Now when I visited newdev.flock.co It redirected me to http://newdev.flock.co/inactive this page what saying now that Not Yet Active.

See page title ;)

This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from newdev.readme.io project page .

How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .

If you find a security vulnerability feel free to contact them via security@flock.com

Thanks for reading . You can find me on Facebook anytime :- https://www.facebook.com/prial261

Prial Islam Khan

Written by

A teenager boy with passion of Breaking Security .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade